NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Reference Details

Name: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Reference Items

AC-1The organization:
AC-1a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
AC-1a.1.An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
AC-1a.2.Procedures to facilitate the implementation of the access control policy and associated access controls; and
AC-1b.Reviews and updates the current:
AC-1b.1.Access control policy [Assignment: organization-defined frequency]; and
AC-1b.2.Access control procedures [Assignment: organization-defined frequency].
AC-2The organization:
AC-2(1)The organization employs automated mechanisms to support the management of information system accounts.
AC-2(2)The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
AC-2(3)The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
AC-2(4)The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
AC-2(5)The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
AC-2(6)The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].
AC-2(7)The organization:
AC-2(7)(a)Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
AC-2(7)(b)Monitors privileged role assignments; and
AC-2(7)(c)Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
AC-2(8)The information system creates [Assignment: organization-defined information system accounts] dynamically.
AC-2(9)The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].
AC-2(10)The information system terminates shared/group account credentials when members leave the group.
AC-2(11)The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
AC-2(12)The organization:
AC-2(12)(a)Monitors information system accounts for [Assignment: organization-defined atypical usage]; and
AC-2(12)(b)Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].
AC-2(13)The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
AC-2a.Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
AC-2b.Assigns account managers for information system accounts;
AC-2c.Establishes conditions for group and role membership;
AC-2d.Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
AC-2e.Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
AC-2f.Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
AC-2g.Monitors the use of information system accounts;
AC-2h.Notifies account managers:
AC-2h.1.When accounts are no longer required;
AC-2h.2.When users are terminated or transferred; and
AC-2h.3.When individual information system usage or need-to-know changes;
AC-2i.Authorizes access to the information system based on:
AC-2i.1.A valid access authorization;
AC-2i.2.Intended system usage; and
AC-2i.3.Other attributes as required by the organization or associated missions/business functions;
AC-2j.Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
AC-2k.Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-3The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-3(1)[Withdrawn: Incorporated into AC-6].
AC-3(2)The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3(3)The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:
AC-3(3)(a)Is uniformly enforced across all subjects and objects within the boundary of the information system;
AC-3(3)(b)Specifies that a subject that has been granted access to information is constrained from doing any of the following;
AC-3(3)(b)(1)Passing the information to unauthorized subjects or objects;