Theme

800-53|AC-1

Title

ACCESS CONTROL POLICY AND PROCEDURES

Description

The organization:

Supplemental

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: PM-9

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.1.2 Ensure only trusted users are allowed to control Docker daemon	Unix	CIS Docker v1.5.0 L1 Linux Host OS
1.1.10 Use Just In Time privileged access to Office 365 roles	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.5.0
1.1.13 Ensure that collaboration invitations are sent to allowed domains only	microsoft_azure	CIS Microsoft 365 Foundations E3 L2 v1.5.0
1.2 Ensure a customer created Customer Master Key (CMK) is created for the App-tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tier	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L2
1.4 Ensure Guest Users Are Reviewed on a Regular Basis	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L1
1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L1
1.11 Ensure That 'Users Can Consent to Apps Accessing Company Data on Their Behalf' Is Set To 'Allow for Verified Publishers'	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L2
1.12 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L1
1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L2
1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L2
2.1.1 Client certificate authentication should not be used for users	GCP	CIS Google Kubernetes Engine (GKE) v1.3.0 L1
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcd	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L2 Master
2.12.1 Ensure Guest Account Is Disabled	Unix	CIS Apple macOS 13.0 Ventura v1.0.0 L1
2.14 Ensure containers are restricted from acquiring new privileges	Unix	CIS Docker v1.5.0 L1 Docker Linux
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for users	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
3.4 Ensure that Storage Account Access Keys are Periodically Regenerated	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L1
3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour	microsoft_azure	CIS Microsoft Azure Foundations v1.5.0 L1
4.3 Ensure the maximum failed login attempts is set to 5	VMware	CIS VMware ESXi 7.0 v1.1.0 Level 1
4.3 Ensure the maximum failed login attempts is set to 5	VMware	CIS VMware ESXi 6.7 v1.2.0 Level 1
5.2.1 Ensure Password Account Lockout Threshold Is Configured	Unix	CIS Apple macOS 12.0 Monterey v2.0.0 L1
5.2.1 Ensure Password Account Lockout Threshold Is Configured	Unix	CIS Apple macOS 13.0 Ventura v1.0.0 L1
5.2.1 Ensure Password Account Lockout Threshold Is Configured	Unix	CIS Apple macOS 10.14 v2.0.0 L1
5.2.1 Ensure Password Account Lockout Threshold Is Configured	Unix	CIS Apple macOS 10.15 Catalina v3.0.0 L1
5.2.1 Ensure Password Account Lockout Threshold Is Configured	Unix	CIS Apple macOS 11.0 Big Sur v3.0.0 L1
5.3.2 Ensure system accounts are secured - lock not root	Unix	CIS Google Container-Optimized OS L2 Server v1.0.0
5.3.2 Ensure system accounts are secured - non login	Unix	CIS Google Container-Optimized OS L2 Server v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-account	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-account	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth authfail	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth authfail	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth authsucc	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth authsucc	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth preauth	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/common-auth preauth	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf deny	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf deny	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf fail_interval	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf fail_interval	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf unlock_time	Unix	CIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - /etc/security/faillock.conf unlock_time	Unix	CIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - account pam_deny.so	Unix	CIS Debian Linux 11 Workstation L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - account pam_deny.so	Unix	CIS Debian Linux 11 Server L1 v1.0.0
5.4.2 Ensure lockout for failed password attempts is configured - account pam_tally2.so	Unix	CIS Debian Linux 11 Workstation L1 v1.0.0