Detections
Analytics
NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
Reference Details
Name: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
Reference Items
| Control | Description |
|---|---|
| AC-1 | The organization: |
| AC-1a. | Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: |
| AC-1a.1. | An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and |
| AC-1a.2. | Procedures to facilitate the implementation of the access control policy and associated access controls; and |
| AC-1b. | Reviews and updates the current: |
| AC-1b.1. | Access control policy [Assignment: organization-defined frequency]; and |
| AC-1b.2. | Access control procedures [Assignment: organization-defined frequency]. |
| AC-2 | The organization: |
| AC-2(1) | The organization employs automated mechanisms to support the management of information system accounts. |
| AC-2(2) | The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| AC-2(3) | The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
| AC-2(4) | The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| AC-2(5) | The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| AC-2(6) | The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]. |
| AC-2(7) | The organization: |
| AC-2(7)(a) | Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; |
| AC-2(7)(b) | Monitors privileged role assignments; and |
| AC-2(7)(c) | Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| AC-2(8) | The information system creates [Assignment: organization-defined information system accounts] dynamically. |
| AC-2(9) | The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. |
| AC-2(10) | The information system terminates shared/group account credentials when members leave the group. |
| AC-2(11) | The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| AC-2(12) | The organization: |
| AC-2(12)(a) | Monitors information system accounts for [Assignment: organization-defined atypical usage]; and |
| AC-2(12)(b) | Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| AC-2(13) | The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. |
| AC-2a. | Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; |
| AC-2b. | Assigns account managers for information system accounts; |
| AC-2c. | Establishes conditions for group and role membership; |
| AC-2d. | Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; |
| AC-2e. | Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; |
| AC-2f. | Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; |
| AC-2g. | Monitors the use of information system accounts; |
| AC-2h. | Notifies account managers: |
| AC-2h.1. | When accounts are no longer required; |
| AC-2h.2. | When users are terminated or transferred; and |
| AC-2h.3. | When individual information system usage or need-to-know changes; |
| AC-2i. | Authorizes access to the information system based on: |
| AC-2i.1. | A valid access authorization; |
| AC-2i.2. | Intended system usage; and |
| AC-2i.3. | Other attributes as required by the organization or associated missions/business functions; |
| AC-2j. | Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and |
| AC-2k. | Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| AC-3 | The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| AC-3(1) | [Withdrawn: Incorporated into AC-6]. |
| AC-3(2) | The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| AC-3(3) | The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: |
| AC-3(3)(a) | Is uniformly enforced across all subjects and objects within the boundary of the information system; |
| AC-3(3)(b) | Specifies that a subject that has been granted access to information is constrained from doing any of the following; |
| AC-3(3)(b)(1) | Passing the information to unauthorized subjects or objects; |