The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information…
The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes…
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.
The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions].