AC-3: Access Enforcement

Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing…

Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to…

Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

Release information outside of the system only if: The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.

Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].

Restrict access to data repositories containing [Assignment: organization-defined information types].

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; Provide an enforcement mechanism to prevent unauthorized access; and Approve access changes after initial installation of the application.

Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].

Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.