AC-3(15): Discretionary and Mandatory Access Control
Control Family:
Parent Control:
Threats Addressed:
Baselines:
(Not part of any baseline)
Control is new to this version of the control set.
Control Statement
- Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
- Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
Supplemental Guidance
Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.