800-53|AC-1

Title

ACCESS CONTROL POLICY AND PROCEDURES

Description

The organization:

Supplemental

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: PM-9

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.1.2 Ensure only trusted users are allowed to control Docker daemon	Unix	CIS Docker v1.7.0 L1 Docker - Linux
1.1.5 Ensure 'Password Policy' is enabled	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2 Ensure a customer created Customer Master Key (CMK) is created for the App-tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.10 Do not create access keys during initial setup for IAM users with a console password	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
1.21 Ensure access to AWSCloudShellFullAccess is restricted	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
2.2.12 Ensure 'SSL_CERT_REVOCATION' Is Set To 'REQUIRED'	Windows	CIS Oracle Database 23ai v1.0.0 L1 RDBMS On Windows Server Host OS
2.2.12 Ensure 'SSL_CERT_REVOCATION' Is Set To 'REQUIRED'	Unix	CIS Oracle Database 23ai v1.0.0 L1 RDBMS On Linux Host OS
2.3.8 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is Set To '3' Or Less	OracleDB	CIS Oracle Database 23ai v1.0.0 L1 RDBMS
2.6.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.6.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.6.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.10.0 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L2 Master
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 13.0 Ventura v3.0.0 L1
2.14 Ensure containers are restricted from acquiring new privileges	Unix	CIS Docker v1.7.0 L1 Docker - Linux
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less Than Or Equal To '5'	OracleDB	CIS Oracle Database 23ai v1.0.0 L1 RDBMS
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.10.0 L1 Master
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
3.1.2 Service account token authentication should not be used for users	Unix	CIS Kubernetes v1.10.0 L1 Master
3.1.3 Bootstrap token authentication should not be used for users	Unix	CIS Kubernetes v1.10.0 L1 Master
3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens	microsoft_azure	CIS Microsoft Azure Foundations v4.0.0 L1
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater Than Or Equal To '1'	OracleDB	CIS Oracle Database 23ai v1.0.0 L1 RDBMS
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME + PASSWORD_GRACE_TIME' Is Less Than Or Equal To '365'	OracleDB	CIS Oracle Database 23ai v1.0.0 L1 RDBMS
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'	OracleDB	CIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'	OracleDB	CIS Oracle Server 12c DB Unified Auditing v3.0.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'	OracleDB	CIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'	OracleDB	CIS Oracle Server 19c DB Unified Auditing v1.2.0
3.12 (L1) Host must lock an account after a specified number of failed login attempts	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
4.3 (L1) Ensure the maximum failed login attempts is set to 5	VMware	CIS VMware ESXi 7.0 v1.4.0 L1
4.3 Ensure the maximum failed login attempts is set to 5	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
4.4.2.1.2 Ensure password failed attempts lockout is configured	Unix	CIS Amazon Linux 2 v3.0.0 L1
10.3.1.2 Ensure that Storage Account access keys are periodically regenerated	microsoft_azure	CIS Microsoft Azure Foundations v4.0.0 L1
10.3.1.3 Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled'	microsoft_azure	CIS Microsoft Azure Foundations v4.0.0 L1

Detections

Analytics