AC-3(11): Restrict Access to Specific Information Types

Control Family:

Access Control

Parent Control:

AC-3: Access Enforcement

CSF v1.1 References:

PR.AC-4
PR.PT-3

Threats Addressed:

Elevation of Privilege
Lateral Movement

Baselines:

(Not part of any baseline)

Control is new to this version of the control set.

Control Statement

Restrict access to data repositories containing [Assignment: organization-defined information types].

Supplemental Guidance

Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5