AC-3: Access Enforcement

Control Family:

Access Control

CSF v1.1 References:

Baselines:

  • Low
    • AC-3
  • Moderate
    • AC-3
  • High
    • AC-3

Next Version:

Control Statement

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Supplemental Guidance

Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

Control Enhancements

AC-3(2): Dual Authorization

Baseline(s):

(Not part of any baseline)

The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].

AC-3(3): Mandatory Access Control

Baseline(s):

(Not part of any baseline)

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: Is uniformly enforced across all subjects and objects within the boundary of the information system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information…

AC-3(4): Discretionary Access Control

Baseline(s):

(Not part of any baseline)

The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes…

AC-3(5): Security-Relevant Information

Baseline(s):

(Not part of any baseline)

The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

AC-3(7): Role-Based Access Control

Baseline(s):

(Not part of any baseline)

The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

AC-3(8): Revocation Of Access Authorizations

Baseline(s):

(Not part of any baseline)

The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

AC-3(9): Controlled Release

Baseline(s):

(Not part of any baseline)

The information system does not release information outside of the established system boundary unless: The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.