AC-24: Access Control Decisions

Control Family:

Access Control

CSF v1.1 References:

PF v1.0 References:


  • Low


  • Moderate


  • High


Next Version:

Control Statement

The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

Supplemental Guidance

Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement.

Control Enhancements

AC-24(1): Transmit Access Authorization Information


(Not part of any baseline)

The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions.

AC-24(2): No User Or Process Identity


(Not part of any baseline)

The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user.