AC-24: Access Control Decisions
Control Family:
CSF v1.1 References:
PF v1.0 References:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AC-24: Access Control Decisions
Control Statement
[Assignment: Establish procedures, Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
Supplemental Guidance
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.
Control Enhancements
AC-24(1): Transmit Access Authorization Information
Baseline(s):
Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.
AC-24(2): No User or Process Identity
Baseline(s):
Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.