AC - Access Control
- Controls Count: 39
- Controls IDs: AC-1, AC-2, AC-2 (1), AC-2 (2), AC-2 (3), AC-2 (4), AC-2 (5), AC-2 (13), AC-3, AC-4, AC-5, AC-6, AC-6 (1), AC-6 (2), AC-6 (5), AC-6 (7), AC-6 (9), AC-6 (10), AC-7, AC-8, AC-11, AC-11 (1), AC-12, AC-14, AC-17, AC-17 (1), AC-17 (2), AC-17 (3), AC-17 (4), AC-18, AC-18 (1), AC-18 (3), AC-19, AC-19 (5), AC-20, AC-20 (1), AC-20 (2), AC-21, AC-22
Controls
AC-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level access control policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the access control policy and the associated access controls;
Designate an an official to manage the access control policy and procedures is defined; to manage the development, documentation, and dissemination of the access control policy and procedures; and
Review and update the current access control:
Policy the frequency at which the current access control policy is reviewed and updated is defined; and following events that would require the current access control policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current access control procedures are reviewed and updated is defined; and following events that would require procedures to be reviewed and updated are defined;.
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an access control policy is developed and documented;
the access control policy is disseminated to personnel or roles to whom the access control policy is to be disseminated is/are defined;;
access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
the access control procedures are disseminated to personnel or roles to whom the access control procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level access control policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level access control policy addresses scope;
the organization-level, mission/business process-level, and/or system-level access control policy addresses roles;
the organization-level, mission/business process-level, and/or system-level access control policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level access control policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level access control policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level access control policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the access control policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
the current access control policy is reviewed and updated the frequency at which the current access control policy is reviewed and updated is defined;;
the current access control policy is reviewed and updated following events that would require the current access control policy to be reviewed and updated are defined;;
the current access control procedures are reviewed and updated the frequency at which the current access control procedures are reviewed and updated is defined;;
the current access control procedures are reviewed and updated following events that would require procedures to be reviewed and updated are defined;.
Access control policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access control responsibilities
organizational personnel with information security with information security and privacy responsibilities
AC-2: Account Management
Define and document the types of accounts allowed and specifically prohibited for use within the system;
Assign account managers;
Require prerequisites and criteria for group and role membership are defined; for group and role membership;
Specify:
Authorized users of the system;
Group and role membership; and
Access authorizations (i.e., privileges) and attributes (as required) for each account are defined; for each account;
Require approvals by personnel or roles required to approve requests to create accounts is/are defined; for requests to create accounts;
Create, enable, modify, disable, and remove accounts in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
Monitor the use of accounts;
Notify account managers and personnel or roles to be notified is/are defined; within:
time period within which to notify account managers when accounts are no longer required is defined; when accounts are no longer required;
time period within which to notify account managers when users are terminated or transferred is defined; when users are terminated or transferred; and
time period within which to notify account managers when system usage or the need to know changes for an individual is defined; when system usage or need-to-know changes for an individual;
Authorize access to the system based on:
A valid access authorization;
Intended system usage; and
attributes needed to authorize system access (as required) are defined;;
Review accounts for compliance with account management requirements the frequency of account review is defined;;
Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
Align account management processes with personnel termination and transfer processes.
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.
Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.
Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
account types allowed for use within the system are defined and documented;
account types specifically prohibited for use within the system are defined and documented;
account managers are assigned;
prerequisites and criteria for group and role membership are defined; for group and role membership are required;
authorized users of the system are specified;
group and role membership are specified;
access authorizations (i.e., privileges) are specified for each account;
attributes (as required) for each account are defined; are specified for each account;
approvals are required by personnel or roles required to approve requests to create accounts is/are defined; for requests to create accounts;
accounts are created in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
accounts are enabled in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
accounts are modified in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
accounts are disabled in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
accounts are removed in accordance with policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;;
the use of accounts is monitored;
account managers and personnel or roles to be notified is/are defined; are notified within time period within which to notify account managers when accounts are no longer required is defined; when accounts are no longer required;
account managers and personnel or roles to be notified is/are defined; are notified within time period within which to notify account managers when users are terminated or transferred is defined; when users are terminated or transferred;
account managers and personnel or roles to be notified is/are defined; are notified within time period within which to notify account managers when system usage or the need to know changes for an individual is defined; when system usage or the need to know changes for an individual;
access to the system is authorized based on a valid access authorization;
access to the system is authorized based on intended system usage;
access to the system is authorized based on attributes needed to authorize system access (as required) are defined;;
accounts are reviewed for compliance with account management requirements the frequency of account review is defined;;
a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
account management processes are aligned with personnel termination processes;
account management processes are aligned with personnel transfer processes.
Access control policy
personnel termination policy and procedure
personnel transfer policy and procedure
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
list of active system accounts along with the name of the individual associated with each account
list of recently disabled system accounts and the name of the individual associated with each account
list of conditions for group and role membership
notifications of recent transfers, separations, or terminations of employees
access authorization records
account management compliance reviews
system monitoring records
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security and privacy responsibilities
Organizational processes for account management on the system
mechanisms for implementing account management
AC-2 (1): Automated System Account Management
Support the management of system accounts using automated mechanisms used to support the management of system accounts are defined;.
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
the management of system accounts is supported using automated mechanisms used to support the management of system accounts are defined;.
Access control policy
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security responsibilities
system developers
Automated mechanisms for implementing account management functions
AC-2 (2): Automated Temporary and Emergency Account Management
Automatically removeordisable temporary and emergency accounts after the time period after which to automatically remove or disable temporary or emergency accounts is defined;.
Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.
temporary and emergency accounts are automatically removeordisable after the time period after which to automatically remove or disable temporary or emergency accounts is defined;.
Access control policy
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of temporary accounts removed and/or disabled
system-generated list of emergency accounts removed and/or disabled
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security responsibilities
system developers
Automated mechanisms for implementing account management functions
AC-2 (3): Disable Accounts
Disable accounts within time period within which to disable accounts is defined; when the accounts:
Have expired;
Are no longer associated with a user or individual;
Are in violation of organizational policy; or
Have been inactive for time period for account inactivity before disabling is defined;.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
accounts are disabled within time period within which to disable accounts is defined; when the accounts have expired;
accounts are disabled within time period within which to disable accounts is defined; when the accounts are no longer associated with a user or individual;
accounts are disabled within time period within which to disable accounts is defined; when the accounts are in violation of organizational policy;
accounts are disabled within time period within which to disable accounts is defined; when the accounts have been inactive for time period for account inactivity before disabling is defined;.
Access control policy
procedures for addressing account management
system security plan
system design documentation
system configuration settings and associated documentation
system-generated list of accounts removed
system-generated list of emergency accounts disabled
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms for implementing account management functions
AC-2 (4): Automated Audit Actions
Automatically audit account creation, modification, enabling, disabling, and removal actions.
Account management audit records are defined in accordance with AU-02 and reviewed, analyzed, and reported in accordance with AU-06.
account creation is automatically audited;
account modification is automatically audited;
account enabling is automatically audited;
account disabling is automatically audited;
account removal actions are automatically audited.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
notifications/alerts of account creation, modification, enabling, disabling, and removal actions
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Automated mechanisms implementing account management functions
AC-2 (5): Inactivity Logout
Require that users log out when the time period of expected inactivity or description of when to log out is defined;.
Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.
users are required to log out when the time period of expected inactivity or description of when to log out is defined;.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
security violation reports
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
users that must comply with inactivity logout policy
AC-2 (13): Disable Accounts for High-risk Individuals
Disable accounts of individuals within time period within which to disable accounts of individuals who are discovered to pose significant risk is defined; of discovery of significant risks leading to disabling accounts are defined;.
Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
accounts of individuals are disabled within time period within which to disable accounts of individuals who are discovered to pose significant risk is defined; of discovery of significant risks leading to disabling accounts are defined;.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of disabled accounts
list of user activities posing significant organizational risk
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing account management functions
AC-3: Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.
approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of approved authorizations (user privileges)
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing access control policy
AC-4: Information Flow Enforcement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on information flow control policies within the system and between connected systems are defined;.
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).
approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on information flow control policies within the system and between connected systems are defined;.
Access control policy
information flow control policies
procedures addressing information flow enforcement
security architecture documentation
privacy architecture documentation
system design documentation
system configuration settings and associated documentation
system baseline configuration
list of information flow authorizations
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy architecture development responsibilities
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
AC-5: Separation of Duties
Identify and document duties of individuals requiring separation are defined; ; and
Define system access authorizations to support separation of duties.
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.
duties of individuals requiring separation are defined; are identified and documented;
system access authorizations to support separation of duties are defined.
Access control policy
procedures addressing divisions of responsibility and separation of duties
system configuration settings and associated documentation
list of divisions of responsibility and separation of duties
system access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing separation of duties policy
AC-6: Least Privilege
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Access control policy
procedures addressing least privilege
list of assigned access authorizations (user privileges)
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
AC-6 (1): Authorize Access to Security Functions
Authorize access for individuals and roles with authorized access to security functions and security-relevant information are defined; to:
organization-defined security functions (deployed in hardware, software, and firmware) ; and
security-relevant information for authorized access is defined;.
Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.
access is authorized for individuals and roles with authorized access to security functions and security-relevant information are defined; to security functions (deployed in hardware) for authorized access are defined;;
access is authorized for individuals and roles with authorized access to security functions and security-relevant information are defined; to security functions (deployed in software) for authorized access are defined;;
access is authorized for individuals and roles with authorized access to security functions and security-relevant information are defined; to security functions (deployed in firmware) for authorized access are defined;;
access is authorized for individuals and roles with authorized access to security functions and security-relevant information are defined; to security-relevant information for authorized access is defined;.
Access control policy
procedures addressing least privilege
list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
AC-6 (2): Non-privileged Access for Nonsecurity Functions
Require that users of system accounts (or roles) with access to security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined; use non-privileged accounts or roles, when accessing nonsecurity functions.
Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
users of system accounts (or roles) with access to security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined; are required to use non-privileged accounts or roles when accessing non-security functions.
Access control policy
procedures addressing least privilege
list of system-generated security functions or security-relevant information assigned to system accounts or roles
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
AC-6 (5): Privileged Accounts
Restrict privileged accounts on the system to personnel or roles to which privileged accounts on the system are to be restricted is/are defined;.
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.
privileged accounts on the system are restricted to personnel or roles to which privileged accounts on the system are to be restricted is/are defined;.
Access control policy
procedures addressing least privilege
list of system-generated privileged accounts
list of system administration personnel
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
AC-6 (7): Review of User Privileges
Review the frequency at which to review the privileges assigned to roles or classes of users is defined; the privileges assigned to roles or classes of users to which privileges are assigned are defined; to validate the need for such privileges; and
Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.
privileges assigned to roles or classes of users to which privileges are assigned are defined; are reviewed the frequency at which to review the privileges assigned to roles or classes of users is defined; to validate the need for such privileges;
privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
Access control policy
procedures addressing least privilege
list of system-generated roles or classes of users and assigned privileges
system design documentation
system configuration settings and associated documentation
validation reviews of privileges assigned to roles or classes or users
records of privilege removals or reassignments for roles or classes of users
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing review of user privileges
AC-6 (9): Log Use of Privileged Functions
Log the execution of privileged functions.
The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
the execution of privileged functions is logged.
Access control policy
procedures addressing least privilege
system design documentation
system configuration settings and associated documentation
list of privileged functions to be audited
list of audited events
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
system developers
Mechanisms auditing the execution of least privilege functions
AC-6 (10): Prohibit Non-privileged Users from Executing Privileged Functions
Prevent non-privileged users from executing privileged functions.
Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.
non-privileged users are prevented from executing privileged functions.
Access control policy
procedures addressing least privilege
system design documentation
system configuration settings and associated documentation
list of privileged functions and associated user account assignments
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system developers
Mechanisms implementing least privilege functions for non-privileged users
AC-7: Unsuccessful Logon Attempts
Enforce a limit of the number of consecutive invalid logon attempts by a user allowed during a time period is defined; consecutive invalid logon attempts by a user during a the time period to which the number of consecutive invalid logon attempts by a user is limited is defined; ; and
Automatically lock the account or node for time period for an account or node to be locked is defined (if selected); , lock the account or node until released by an administrator, delay next logon prompt per delay algorithm for the next logon prompt is defined (if selected); , notify system administrator, and/or take other other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected); when the maximum number of unsuccessful attempts is exceeded.
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
a limit of the number of consecutive invalid logon attempts by a user allowed during a time period is defined; consecutive invalid logon attempts by a user during the time period to which the number of consecutive invalid logon attempts by a user is limited is defined; is enforced;
automatically lock the account or node for time period for an account or node to be locked is defined (if selected); , lock the account or node until released by an administrator, delay next logon prompt per delay algorithm for the next logon prompt is defined (if selected); , notify system administrator, and/or take other other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected); when the maximum number of unsuccessful attempts is exceeded.
Access control policy
procedures addressing unsuccessful logon attempts
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information security responsibilities
system developers
system/network administrators
Mechanisms implementing access control policy for unsuccessful logon attempts
AC-8: System Use Notification
Display system use notification message or banner to be displayed by the system to users before granting access to the system is defined; to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
Users are accessing a U.S. Government system;
System usage may be monitored, recorded, and subject to audit;
Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
Use of the system indicates consent to monitoring and recording;
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
For publicly accessible systems:
Display system use information conditions for system use to be displayed by the system before granting further access are defined; , before granting further access to the publicly accessible system;
Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
Include a description of the authorized uses of the system.
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
system use notification message or banner to be displayed by the system to users before granting access to the system is defined; is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the system use notification states that users are accessing a U.S. Government system;
the system use notification states that system usage may be monitored, recorded, and subject to audit;
the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
the system use notification states that use of the system indicates consent to monitoring and recording;
the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
for publicly accessible systems, system use information conditions for system use to be displayed by the system before granting further access are defined; is displayed before granting further access to the publicly accessible system;
for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
for publicly accessible systems, a description of the authorized uses of the system is included.
Access control policy
privacy and security policies, procedures addressing system use notification
documented approval of system use notification messages or banners
system audit records
user acknowledgements of notification message or banner
system design documentation
system configuration settings and associated documentation
system use notification messages
system security plan
privacy plan
privacy impact assessment
privacy assessment report
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
legal counsel
system developers
Mechanisms implementing system use notification
AC-11: Device Lock
Prevent further access to the system by initiating a device lock after time period of inactivity after which a device lock is initiated is defined (if selected); of inactivityand/orrequiring the user to initiate a device lock before leaving the system unattended ; and
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
further access to the system is prevented by initiating a device lock after time period of inactivity after which a device lock is initiated is defined (if selected); of inactivityand/orrequiring the user to initiate a device lock before leaving the system unattended;
device lock is retained until the user re-establishes access using established identification and authentication procedures.
Access control policy
procedures addressing session lock
procedures addressing identification and authentication
system design documentation
system configuration settings and associated documentation
security plan
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for session lock
AC-11 (1): Pattern-hiding Displays
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
information previously visible on the display is concealed, via device lock, with a publicly viewable image.
Access control policy
procedures addressing session lock
display screen with session lock activated
system design documentation
system configuration settings and associated documentation
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
System session lock mechanisms
AC-12: Session Termination
Automatically terminate a user session after conditions or trigger events requiring session disconnect are defined;.
Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
a user session is automatically terminated after conditions or trigger events requiring session disconnect are defined;.
Access control policy
procedures addressing session termination
system design documentation
system configuration settings and associated documentation
list of conditions or trigger events requiring session disconnect
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms implementing user session termination
AC-14: Permitted Actions Without Identification or Authentication
Identify user actions that can be performed on the system without identification or authentication are defined; that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none."
user actions that can be performed on the system without identification or authentication are defined; that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;
user actions not requiring identification or authentication are documented in the security plan for the system;
a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
Access control policy
procedures addressing permitted actions without identification or authentication
system configuration settings and associated documentation
security plan
list of user actions that can be performed without identification or authentication
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
AC-17: Remote Access
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
Authorize each type of remote access to the system prior to allowing such connections.
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.
usage restrictions are established and documented for each type of remote access allowed;
configuration/connection requirements are established and documented for each type of remote access allowed;
implementation guidance is established and documented for each type of remote access allowed;
each type of remote access to the system is authorized prior to allowing such connections.
Access control policy
procedures addressing remote access implementation and usage (including restrictions)
configuration management plan
system configuration settings and associated documentation
remote access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing remote access connections
system/network administrators
organizational personnel with information security responsibilities
Remote access management capability for the system
AC-17 (1): Monitoring and Control
Employ automated mechanisms to monitor and control remote access methods.
Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.
automated mechanisms are employed to monitor remote access methods;
automated mechanisms are employed to control remote access methods.
Access control policy
procedures addressing remote access to the system
system design documentation
system configuration settings and associated documentation
system audit records
system monitoring records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms monitoring and controlling remote access methods
AC-17 (2): Protection of Confidentiality and Integrity Using Encryption
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.
cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
Access control policy
procedures addressing remote access to the system
system design documentation
system configuration settings and associated documentation
cryptographic mechanisms and associated configuration documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions
AC-17 (3): Managed Access Control Points
Route remote accesses through authorized and managed network access control points.
Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.
remote accesses are routed through authorized and managed network access control points.
Access control policy
procedures addressing remote access to the system
system design documentation
list of all managed network access control points
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms routing all remote accesses through managed network access control points
AC-17 (4): Privileged Commands and Access
Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: organization-defined needs ; and
Document the rationale for remote access in the security plan for the system.
Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.
the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
the execution of privileged commands via remote access is authorized only for the following needs: needs requiring execution of privileged commands via remote access are defined;;
access to security-relevant information via remote access is authorized only for the following needs: needs requiring access to security-relevant information via remote access are defined;;
the rationale for remote access is documented in the security plan for the system.
Access control policy
procedures addressing remote access to the system
system configuration settings and associated documentation
security plan
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing remote access management
AC-18: Wireless Access
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
Authorize each type of wireless access to the system prior to allowing such connections.
Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.
configuration requirements are established for each type of wireless access;
connection requirements are established for each type of wireless access;
implementation guidance is established for each type of wireless access;
each type of wireless access to the system is authorized prior to allowing such connections.
Access control policy
procedures addressing wireless access implementation and usage (including restrictions)
configuration management plan
system design documentation
system configuration settings and associated documentation
wireless access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing wireless access connections
organizational personnel with information security responsibilities
Wireless access management capability for the system
AC-18 (1): Authentication and Encryption
Protect wireless access to the system using authentication of usersand/ordevices and encryption.
Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.
wireless access to the system is protected using authentication of usersand/ordevices;
wireless access to the system is protected using encryption.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing wireless access protections to the system
AC-18 (3): Disable Wireless Networking
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.
when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components
AC-19: Access Control for Mobile Devices
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
Authorize the connection of mobile devices to organizational systems.
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.
configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
the connection of mobile devices to organizational systems is authorized.
Access control policy
procedures addressing access control for mobile device usage (including restrictions)
configuration management plan
system design documentation
system configuration settings and associated documentation
authorizations for mobile device connections to organizational systems
system audit records
system security plan
other relevant documents or records
Organizational personnel using mobile devices to access organizational systems
system/network administrators
organizational personnel with information security responsibilities
Access control capability for mobile device connections to organizational systems
configurations of mobile devices
AC-19 (5): Full Device or Container-based Encryption
Employ full-device encryptionorcontainer-based encryption to protect the confidentiality and integrity of information on mobile devices on which to employ encryption are defined;.
Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.
full-device encryptionorcontainer-based encryption is employed to protect the confidentiality and integrity of information on mobile devices on which to employ encryption are defined;.
Access control policy
procedures addressing access control for mobile devices
system design documentation
system configuration settings and associated documentation
encryption mechanisms and associated configuration documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access control responsibilities for mobile devices
system/network administrators
organizational personnel with information security responsibilities
Encryption mechanisms protecting confidentiality and integrity of information on mobile devices
AC-20: Use of External Systems
establish terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); and/oridentify controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
Access the system from external systems; and
Process, store, or transmit organization-controlled information using external systems; or
Prohibit the use of types of external systems prohibited from use are defined;.
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).
For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
establish terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); and/oridentify controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);
establish terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); and/oridentify controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);
the use of types of external systems prohibited from use are defined; is prohibited (if applicable).
Access control policy
procedures addressing the use of external systems
external systems terms and conditions
list of types of applications accessible from external systems
maximum security categorization for information processed, stored, or transmitted on external systems
system configuration settings and associated documentation
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing terms and conditions on the use of external systems
AC-20 (1): Limits on Authorized Use
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
Access control policy
procedures addressing the use of external systems
system connection or processing agreements
account management documents
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing limits on use of external systems
AC-20 (2): Portable Storage Devices — Restricted Use
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;.
Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.
the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;.
Access control policy
procedures addressing the use of external systems
system configuration settings and associated documentation
system connection or processing agreements
account management documents
system security plan
other relevant documents or records
Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing restrictions on the use of portable storage devices
AC-21: Information Sharing
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined; ; and
Employ automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined; to assist users in making information sharing and collaboration decisions.
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;;
automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined; are employed to assist users in making information-sharing and collaboration decisions.
Access control policy
procedures addressing user-based collaboration and information sharing (including restrictions)
system design documentation
system configuration settings and associated documentation
list of users authorized to make information-sharing/collaboration decisions
list of information-sharing circumstances requiring user discretion
non-disclosure agreements
acquisitions/contractual agreements
system security plan
privacy plan
privacy impact assessment
security and privacy risk assessments
other relevant documents or records
Organizational personnel responsible for information-sharing/collaboration decisions
organizational personnel with responsibility for acquisitions/contractual agreements
system/network administrators
organizational personnel with information security and privacy responsibilities
Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions
AC-22: Publicly Accessible Content
Designate individuals authorized to make information publicly accessible;
Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
Review the content on the publicly accessible system for nonpublic information the frequency at which to review the content on the publicly accessible system for non-public information is defined; and remove such information, if discovered.
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
designated individuals are authorized to make information publicly accessible;
authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
the content on the publicly accessible system is reviewed for non-public information the frequency at which to review the content on the publicly accessible system for non-public information is defined;;
non-public information is removed from the publicly accessible system, if discovered.
Access control policy
procedures addressing publicly accessible content
list of users authorized to post publicly accessible content on organizational systems
training materials and/or records
records of publicly accessible information reviews
records of response to non-public information on public websites
system audit logs
security awareness training records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems
organizational personnel with information security responsibilities
Mechanisms implementing management of publicly accessible content