Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 221
| Control ID | Title / Statement | Priority | Baseline Impact | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AC-1 |
Access Control Policy and Procedures
3 params
The organization:
a. Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management c...
► View parameters
|
— | — | ||||||||||||||||||
| AC-2 |
Account Management
4 params
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(1) |
Automated System Account Management
The organization employs automated mechanisms to support the management of information system accounts.
|
— | — | ||||||||||||||||||
| AC-2(2) |
Removal of Temporary / Emergency Accounts
2 params
The information system automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(3) |
Disable Inactive Accounts
1 param
The information system automatically disables inactive accounts after {{ insert: param, ac-2.3_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(4) |
Automated Audit Actions
1 param
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies {{ insert: param, ac-2.4_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(5) |
Inactivity Logout
1 param
The organization requires that users log out when {{ insert: param, ac-2.5_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(6) |
Dynamic Privilege Management
1 param
The information system implements the following dynamic privilege management capabilities: {{ insert: param, ac-2.6_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(7) |
Role-based Schemes
1 param
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles...
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(8) |
Dynamic Account Creation
1 param
The information system creates {{ insert: param, ac-2.8_prm_1 }} dynamically.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(9) |
Restrictions On Use of Shared / Group Accounts
1 param
The organization only permits the use of shared/group accounts that meet {{ insert: param, ac-2.9_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(10) |
Shared / Group Account Credential Termination
The information system terminates shared/group account credentials when members leave the group.
|
— | — | ||||||||||||||||||
| AC-2(11) |
Usage Conditions
2 params
The information system enforces {{ insert: param, ac-2.11_prm_1 }} for {{ insert: param, ac-2.11_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(12) |
Account Monitoring / Atypical Usage
2 params
The organization:
(a) Monitors information system accounts for {{ insert: param, ac-2.12_prm_1 }}; and
(b) Reports atypical usage of information system accounts to {{ insert: param, ac-2.12_prm...
► View parameters
|
— | — | ||||||||||||||||||
| AC-2(13) |
Disable Accounts for High-risk Individuals
1 param
The organization disables accounts of users posing a significant risk within {{ insert: param, ac-2.13_prm_1 }} of discovery of the risk.
► View parameters
|
— | — | ||||||||||||||||||
| AC-3 |
Access Enforcement
|
— | — | ||||||||||||||||||
| AC-3(1) |
Restricted Access to Privileged Functions
|
— | — | ||||||||||||||||||
| AC-3(2) |
Dual Authorization
1 param
The information system enforces dual authorization for {{ insert: param, ac-3.2_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(3) |
Mandatory Access Control
3 params
The information system enforces {{ insert: param, ac-3.3_prm_1 }} over all subjects and objects where the policy:
(a) Is uniformly enforced across all subjects and objects within the boundary of ...
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(4) |
Discretionary Access Control
1 param
The information system enforces {{ insert: param, ac-3.4_prm_1 }} over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one ...
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(5) |
Security-relevant Information
1 param
The information system prevents access to {{ insert: param, ac-3.5_prm_1 }} except during secure, non-operable system states.
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(6) |
Protection of User and System Information
|
— | — | ||||||||||||||||||
| AC-3(7) |
Role-based Access Control
1 param
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon {{ insert: param, ac-3.7_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(8) |
Revocation of Access Authorizations
1 param
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-3.8_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(9) |
Controlled Release
3 params
The information system does not release information outside of the established system boundary unless:
(a) The receiving {{ insert: param, ac-3.9_prm_1 }} provides {{ insert: param, ac-3.9_prm_2 ...
► View parameters
|
— | — | ||||||||||||||||||
| AC-3(10) |
Audited Override of Access Control Mechanisms
1 param
The organization employs an audited override of automated access control mechanisms under {{ insert: param, ac-3.10_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4 |
Information Flow Enforcement
1 param
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {{ insert: param, ac-4_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(1) |
Object Security Attributes
3 params
The information system uses {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-4.1_prm_3 }} as a basis for flow control decisions.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(2) |
Processing Domains
1 param
The information system uses protected processing domains to enforce {{ insert: param, ac-4.2_prm_1 }} as a basis for flow control decisions.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(3) |
Dynamic Information Flow Control
1 param
The information system enforces dynamic information flow control based on {{ insert: param, ac-4.3_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(4) |
Content Check Encrypted Information
2 params
The information system prevents encrypted information from bypassing content-checking mechanisms by {{ insert: param, ac-4.4_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(5) |
Embedded Data Types
1 param
The information system enforces {{ insert: param, ac-4.5_prm_1 }} on embedding data types within other data types.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(6) |
Metadata
1 param
The information system enforces information flow control based on {{ insert: param, ac-4.6_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(7) |
One-way Flow Mechanisms
1 param
The information system enforces {{ insert: param, ac-4.7_prm_1 }} using hardware mechanisms.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(8) |
Security Policy Filters
2 params
The information system enforces information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(9) |
Human Reviews
2 params
The information system enforces the use of human reviews for {{ insert: param, ac-4.9_prm_1 }} under the following conditions: {{ insert: param, ac-4.9_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(10) |
Enable / Disable Security Policy Filters
2 params
The information system provides the capability for privileged administrators to enable/disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(11) |
Configuration of Security Policy Filters
1 param
The information system provides the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security policies.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(12) |
Data Type Identifiers
1 param
The information system, when transferring information between different security domains, uses {{ insert: param, ac-4.12_prm_1 }} to validate data essential for information flow decisions.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(13) |
Decomposition into Policy-relevant Subcomponents
1 param
The information system, when transferring information between different security domains, decomposes information into {{ insert: param, ac-4.13_prm_1 }} for submission to policy enforcement mechani...
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(14) |
Security Policy Filter Constraints
1 param
The information system, when transferring information between different security domains, implements {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structu...
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(15) |
Detection of Unsanctioned Information
2 params
The information system, when transferring information between different security domains, examines the information for the presence of {{ insert: param, ac-4.15_prm_1 }} and prohibits the transfer ...
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(16) |
Information Transfers On Interconnected Systems
|
— | — | ||||||||||||||||||
| AC-4(17) |
Domain Authentication
1 param
The information system uniquely identifies and authenticates source and destination points by {{ insert: param, ac-4.17_prm_1 }} for information transfer.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(18) |
Security Attribute Binding
1 param
The information system binds security attributes to information using {{ insert: param, ac-4.18_prm_1 }} to facilitate information flow policy enforcement.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(19) |
Validation of Metadata
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.
|
— | — | ||||||||||||||||||
| AC-4(20) |
Approved Solutions
2 params
The organization employs {{ insert: param, ac-4.20_prm_1 }} to control the flow of {{ insert: param, ac-4.20_prm_2 }} across security domains.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(21) |
Physical / Logical Separation of Information Flows
2 params
The information system separates information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-4.21_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-4(22) |
Access Only
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow betw...
|
— | — | ||||||||||||||||||
| AC-5 |
Separation of Duties
1 param
The organization:
a. Separates {{ insert: param, ac-5_prm_1 }};
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation...
► View parameters
|
— | — | ||||||||||||||||||
| AC-6 |
Least Privilege
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in a...
|
— | — | ||||||||||||||||||
| AC-6(1) |
Authorize Access to Security Functions
1 param
The organization explicitly authorizes access to {{ insert: param, ac-6.1_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(2) |
Non-privileged Access for Nonsecurity Functions
1 param
The organization requires that users of information system accounts, or roles, with access to {{ insert: param, ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity fun...
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(3) |
Network Access to Privileged Commands
2 params
The organization authorizes network access to {{ insert: param, ac-6.3_prm_1 }} only for {{ insert: param, ac-6.3_prm_2 }} and documents the rationale for such access in the security plan for the i...
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(4) |
Separate Processing Domains
The information system provides separate processing domains to enable finer-grained allocation of user privileges.
|
— | — | ||||||||||||||||||
| AC-6(5) |
Privileged Accounts
1 param
The organization restricts privileged accounts on the information system to {{ insert: param, ac-6.5_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(6) |
Privileged Access by Non-organizational Users
The organization prohibits privileged access to the information system by non-organizational users.
|
— | — | ||||||||||||||||||
| AC-6(7) |
Review of User Privileges
2 params
The organization:
(a) Reviews {{ insert: param, ac-6.7_prm_1 }} the privileges assigned to {{ insert: param, ac-6.7_prm_2 }} to validate the need for such privileges; and
(b) Reassigns or remov...
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(8) |
Privilege Levels for Code Execution
1 param
The information system prevents {{ insert: param, ac-6.8_prm_1 }} from executing at higher privilege levels than users executing the software.
► View parameters
|
— | — | ||||||||||||||||||
| AC-6(9) |
Auditing Use of Privileged Functions
The information system audits the execution of privileged functions.
|
— | — | ||||||||||||||||||
| AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
|
— | — | ||||||||||||||||||
| AC-7 |
Unsuccessful Logon Attempts
5 params
► View parameters
|
— | — | ||||||||||||||||||
| AC-7(1) |
Automatic Account Lock
|
— | — | ||||||||||||||||||
| AC-7(2) |
Purge / Wipe Mobile Device
3 params
The information system purges/wipes information from {{ insert: param, ac-7.2_prm_1 }} based on {{ insert: param, ac-7.2_prm_2 }} after {{ insert: param, ac-7.2_prm_3 }} consecutive, unsuccessful d...
► View parameters
|
— | — | ||||||||||||||||||
| AC-8 |
System Use Notification
2 params
The information system:
a. Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal law...
► View parameters
|
— | — | ||||||||||||||||||
| AC-9 |
Previous Logon (access) Notification
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
|
— | — | ||||||||||||||||||
| AC-9(1) |
Unsuccessful Logons
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
|
— | — | ||||||||||||||||||
| AC-9(2) |
Successful / Unsuccessful Logons
2 params
The information system notifies the user of the number of {{ insert: param, ac-9.2_prm_1 }} during {{ insert: param, ac-9.2_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-9(3) |
Notification of Account Changes
2 params
The information system notifies the user of changes to {{ insert: param, ac-9.3_prm_1 }} during {{ insert: param, ac-9.3_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-9(4) |
Additional Logon Information
1 param
The information system notifies the user, upon successful logon (access), of the following additional information: {{ insert: param, ac-9.4_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-10 |
Concurrent Session Control
2 params
The information system limits the number of concurrent sessions for each {{ insert: param, ac-10_prm_1 }} to {{ insert: param, ac-10_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-11 |
Session Lock
1 param
The information system:
a. Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request from a user; and
b...
► View parameters
|
— | — | ||||||||||||||||||
| AC-11(1) |
Pattern-hiding Displays
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
|
— | — | ||||||||||||||||||
| └ ac-11a | Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request... | — | — | ||||||||||||||||||
| └ ac-11b | Retains the session lock until the user reestablishes access using established identification and authentication procedures. | — | — | ||||||||||||||||||
| AC-12 |
Session Termination
1 param
The information system automatically terminates a user session after {{ insert: param, ac-12_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-12(1) |
User-initiated Logouts / Message Displays
1 param
The information system:
(a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.1_prm_1 }}; and
(b)...
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-12.1.(a) | Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.1... | — | — | ||||||||||||||||||
| └ ac-12.1.(b) | Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. | — | — | ||||||||||||||||||
| AC-13 |
Supervision and Review - Access Control
|
— | — | ||||||||||||||||||
| AC-14 |
Permitted Actions Without Identification or Authentication
1 param
The organization:
a. Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions/b...
► View parameters
|
— | — | ||||||||||||||||||
| AC-14(1) |
Necessary Uses
|
— | — | ||||||||||||||||||
| └ ac-14a | Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent wit... | — | — | ||||||||||||||||||
| └ ac-14b | Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentic... | — | — | ||||||||||||||||||
| AC-15 |
Automated Marking
|
— | — | ||||||||||||||||||
| AC-16 |
Security Attributes
5 params
The organization:
a. Provides the means to associate {{ insert: param, ac-16_prm_1 }} having {{ insert: param, ac-16_prm_2 }} with information in storage, in process, and/or in transmission;
b....
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(1) |
Dynamic Attribute Association
2 params
The information system dynamically associates security attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with {{ insert: param, ac-16.1_prm_2 }} as information is created and combined.
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(2) |
Attribute Value Changes by Authorized Individuals
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
|
— | — | ||||||||||||||||||
| AC-16(3) |
Maintenance of Attribute Associations by Information System
2 params
The information system maintains the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(4) |
Association of Attributes by Authorized Individuals
2 params
The information system supports the association of {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals).
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(5) |
Attribute Displays for Output Devices
2 params
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.5_prm_1 }} using {{ insert:...
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(6) |
Maintenance of Attribute Association by Organization
3 params
The organization allows personnel to associate, and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16...
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(7) |
Consistent Attribute Interpretation
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
|
— | — | ||||||||||||||||||
| AC-16(8) |
Association Techniques / Technologies
2 params
The information system implements {{ insert: param, ac-16.8_prm_1 }} with {{ insert: param, ac-16.8_prm_2 }} in associating security attributes to information.
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(9) |
Attribute Reassignment
1 param
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| AC-16(10) |
Attribute Configuration by Authorized Individuals
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.
|
— | — | ||||||||||||||||||
| └ ac-16a | Provides the means to associate {{ insert: param, ac-16_prm_1 }} having {{ insert: param, ac-16_prm_2 }} with information in storage, in process, a... | — | — | ||||||||||||||||||
| └ ac-16b | Ensures that the security attribute associations are made and retained with the information; | — | — | ||||||||||||||||||
| └ ac-16c | Establishes the permitted {{ insert: param, ac-16_prm_3 }} for {{ insert: param, ac-16_prm_4 }}; and | — | — | ||||||||||||||||||
| └ ac-16d | Determines the permitted {{ insert: param, ac-16_prm_5 }} for each of the established security attributes. | — | — | ||||||||||||||||||
| AC-17 |
Remote Access
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes r...
|
— | — | ||||||||||||||||||
| AC-17(1) |
Automated Monitoring / Control
The information system monitors and controls remote access methods.
|
— | — | ||||||||||||||||||
| AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
|
— | — | ||||||||||||||||||
| AC-17(3) |
Managed Access Control Points
1 param
The information system routes all remote accesses through {{ insert: param, ac-17.3_prm_1 }} managed network access control points.
► View parameters
|
— | — | ||||||||||||||||||
| AC-17(4) |
Privileged Commands / Access
1 param
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_prm_1 }}; and
(b) Document...
► View parameters
|
— | — | ||||||||||||||||||
| AC-17(5) |
Monitoring for Unauthorized Connections
|
— | — | ||||||||||||||||||
| AC-17(6) |
Protection of Information
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
|
— | — | ||||||||||||||||||
| AC-17(7) |
Additional Protection for Security Function Access
|
— | — | ||||||||||||||||||
| AC-17(8) |
Disable Nonsecure Network Protocols
|
— | — | ||||||||||||||||||
| AC-17(9) |
Disconnect / Disable Access
1 param
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within {{ insert: param, ac-17.9_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-17.4.(a) | Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_pr... | — | — | ||||||||||||||||||
| └ ac-17.4.(b) | Documents the rationale for such access in the security plan for the information system. | — | — | ||||||||||||||||||
| └ ac-17a | Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access all... | — | — | ||||||||||||||||||
| └ ac-17b | Authorizes remote access to the information system prior to allowing such connections. | — | — | ||||||||||||||||||
| AC-18 |
Wireless Access
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information...
|
— | — | ||||||||||||||||||
| AC-18(1) |
Authentication and Encryption
1 param
The information system protects wireless access to the system using authentication of {{ insert: param, ac-18.1_prm_1 }} and encryption.
► View parameters
|
— | — | ||||||||||||||||||
| AC-18(2) |
Monitoring Unauthorized Connections
|
— | — | ||||||||||||||||||
| AC-18(3) |
Disable Wireless Networking
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
|
— | — | ||||||||||||||||||
| AC-18(4) |
Restrict Configurations by Users
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
|
— | — | ||||||||||||||||||
| AC-18(5) |
Antennas / Transmission Power Levels
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
|
— | — | ||||||||||||||||||
| └ ac-18a | Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and | — | — | ||||||||||||||||||
| └ ac-18b | Authorizes wireless access to the information system prior to allowing such connections. | — | — | ||||||||||||||||||
| AC-19 |
Access Control for Mobile Devices
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authoriz...
|
— | — | ||||||||||||||||||
| AC-19(1) |
Use of Writable / Portable Storage Devices
|
— | — | ||||||||||||||||||
| AC-19(2) |
Use of Personally Owned Portable Storage Devices
|
— | — | ||||||||||||||||||
| AC-19(3) |
Use of Portable Storage Devices with No Identifiable Owner
|
— | — | ||||||||||||||||||
| AC-19(4) |
Restrictions for Classified Information
2 params
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically...
► View parameters
|
— | — | ||||||||||||||||||
| AC-19(5) |
Full Device / Container-based Encryption
2 params
The organization employs {{ insert: param, ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.5_prm_2 }}.
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-19.4.(a) | Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified infor... | — | — | ||||||||||||||||||
| └ ac-19.4.(b) | Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containin... | — | — | ||||||||||||||||||
| └ ac-19.4.(b).(1) | Connection of unclassified mobile devices to classified information systems is prohibited; | — | — | ||||||||||||||||||
| └ ac-19.4.(b).(2) | Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; | — | — | ||||||||||||||||||
| └ ac-19.4.(b).(3) | Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and | — | — | ||||||||||||||||||
| └ ac-19.4.(b).(4) | Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.4_... | — | — | ||||||||||||||||||
| └ ac-19.4.(c) | Restricts the connection of classified mobile devices to classified information systems in accordance with {{ insert: param, ac-19.4_prm_2 }}. | — | — | ||||||||||||||||||
| └ ac-19a | Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile... | — | — | ||||||||||||||||||
| └ ac-19b | Authorizes the connection of mobile devices to organizational information systems. | — | — | ||||||||||||||||||
| └ ac-1a | Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}: | — | — | ||||||||||||||||||
| └ ac-1a.1 | An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities,... | — | — | ||||||||||||||||||
| └ ac-1a.2 | Procedures to facilitate the implementation of the access control policy and associated access controls; and | — | — | ||||||||||||||||||
| └ ac-1b | Reviews and updates the current: | — | — | ||||||||||||||||||
| └ ac-1b.1 | Access control policy {{ insert: param, ac-1_prm_2 }}; and | — | — | ||||||||||||||||||
| └ ac-1b.2 | Access control procedures {{ insert: param, ac-1_prm_3 }}. | — | — | ||||||||||||||||||
| AC-20 |
Use of External Information Systems
4 params
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, a...
► View parameters
|
— | — | ||||||||||||||||||
| AC-20(1) |
Limits On Authorized Use
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only whe...
|
— | — | ||||||||||||||||||
| AC-20(2) |
Portable Storage Devices
1 param
The organization {{ insert: param, ac-20.2_prm_1 }} the use of organization-controlled portable storage devices by authorized individuals on external information systems.
► View parameters
|
— | — | ||||||||||||||||||
| AC-20(3) |
Non-organizationally Owned Systems / Components / Devices
1 param
The organization {{ insert: param, ac-20.3_prm_1 }} the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.
► View parameters
|
— | — | ||||||||||||||||||
| AC-20(4) |
Network Accessible Storage Devices
1 param
The organization prohibits the use of {{ insert: param, ac-20.4_prm_1 }} in external information systems.
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-20.1.(a) | Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and... | — | — | ||||||||||||||||||
| └ ac-20.1.(b) | Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. | — | — | ||||||||||||||||||
| └ ac-20a | Access the information system from external information systems; and | — | — | ||||||||||||||||||
| └ ac-20b | Process, store, or transmit organization-controlled information using external information systems. | — | — | ||||||||||||||||||
| AC-21 |
Information Sharing
2 params
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the i...
► View parameters
|
— | — | ||||||||||||||||||
| AC-21(1) |
Automated Decision Support
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
|
— | — | ||||||||||||||||||
| AC-21(2) |
Information Search and Retrieval
1 param
The information system implements information search and retrieval services that enforce {{ insert: param, ac-21.2_prm_1 }}.
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-2.12.(a) | Monitors information system accounts for {{ insert: param, ac-2.12_prm_1 }}; and | — | — | ||||||||||||||||||
| └ ac-2.12.(b) | Reports atypical usage of information system accounts to {{ insert: param, ac-2.12_prm_2 }}. | — | — | ||||||||||||||||||
| └ ac-21a | Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the a... | — | — | ||||||||||||||||||
| └ ac-21b | Employs {{ insert: param, ac-21_prm_2 }} to assist users in making information sharing/collaboration decisions. | — | — | ||||||||||||||||||
| AC-22 |
Publicly Accessible Content
1 param
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible inf...
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-22a | Designates individuals authorized to post information onto a publicly accessible information system; | — | — | ||||||||||||||||||
| └ ac-22b | Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; | — | — | ||||||||||||||||||
| └ ac-22c | Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information i... | — | — | ||||||||||||||||||
| └ ac-22d | Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such infor... | — | — | ||||||||||||||||||
| AC-23 |
Data Mining Protection
2 params
The organization employs {{ insert: param, ac-23_prm_1 }} for {{ insert: param, ac-23_prm_2 }} to adequately detect and protect against data mining.
► View parameters
|
— | — | ||||||||||||||||||
| AC-24 |
Access Control Decisions
1 param
The organization establishes procedures to ensure {{ insert: param, ac-24_prm_1 }} are applied to each access request prior to access enforcement.
► View parameters
|
— | — | ||||||||||||||||||
| AC-24(1) |
Transmit Access Authorization Information
3 params
The information system transmits {{ insert: param, ac-24.1_prm_1 }} using {{ insert: param, ac-24.1_prm_2 }} to {{ insert: param, ac-24.1_prm_3 }} that enforce access control decisions.
► View parameters
|
— | — | ||||||||||||||||||
| AC-24(2) |
No User or Process Identity
1 param
The information system enforces access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user.
► View parameters
|
— | — | ||||||||||||||||||
| AC-25 |
Reference Monitor
1 param
The information system implements a reference monitor for {{ insert: param, ac-25_prm_1 }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completen...
► View parameters
|
— | — | ||||||||||||||||||
| └ ac-2.7.(a) | Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access... | — | — | ||||||||||||||||||
| └ ac-2.7.(b) | Monitors privileged role assignments; and | — | — | ||||||||||||||||||
| └ ac-2.7.(c) | Takes {{ insert: param, ac-2.7_prm_1 }} when privileged role assignments are no longer appropriate. | — | — | ||||||||||||||||||
| └ ac-2a | Identifies and selects the following types of information system accounts to support organizational missions/business functions: {{ insert: param, ... | — | — | ||||||||||||||||||
| └ ac-2b | Assigns account managers for information system accounts; | — | — | ||||||||||||||||||
| └ ac-2c | Establishes conditions for group and role membership; | — | — | ||||||||||||||||||
| └ ac-2d | Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes ... | — | — | ||||||||||||||||||
| └ ac-2e | Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts; | — | — | ||||||||||||||||||
| └ ac-2f | Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }}; | — | — | ||||||||||||||||||
| └ ac-2g | Monitors the use of information system accounts; | — | — | ||||||||||||||||||
| └ ac-2h | Notifies account managers: | — | — | ||||||||||||||||||
| └ ac-2h.1 | When accounts are no longer required; | — | — | ||||||||||||||||||
| └ ac-2h.2 | When users are terminated or transferred; and | — | — | ||||||||||||||||||
| └ ac-2h.3 | When individual information system usage or need-to-know changes; | — | — | ||||||||||||||||||
| └ ac-2i | Authorizes access to the information system based on: | — | — | ||||||||||||||||||
| └ ac-2i.1 | A valid access authorization; | — | — | ||||||||||||||||||
| └ ac-2i.2 | Intended system usage; and | — | — | ||||||||||||||||||
| └ ac-2i.3 | Other attributes as required by the organization or associated missions/business functions; | — | — | ||||||||||||||||||
| └ ac-2j | Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and | — | — | ||||||||||||||||||
| └ ac-2k | Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. | — | — | ||||||||||||||||||
| └ ac-3.3.(a) | Is uniformly enforced across all subjects and objects within the boundary of the information system; | — | — | ||||||||||||||||||
| └ ac-3.3.(b) | Specifies that a subject that has been granted access to information is constrained from doing any of the following; | — | — | ||||||||||||||||||
| └ ac-3.3.(b).(1) | Passing the information to unauthorized subjects or objects; | — | — | ||||||||||||||||||
| └ ac-3.3.(b).(2) | Granting its privileges to other subjects; | — | — | ||||||||||||||||||
| └ ac-3.3.(b).(3) | Changing one or more security attributes on subjects, objects, the information system, or information system components; | — | — | ||||||||||||||||||
| └ ac-3.3.(b).(4) | Choosing the security attributes and attribute values to be associated with newly created or modified objects; or | — | — | ||||||||||||||||||
| └ ac-3.3.(b).(5) | Changing the rules governing access control; and | — | — | ||||||||||||||||||
| └ ac-3.3.(c) | Specifies that {{ insert: param, ac-3.3_prm_2 }} may explicitly be granted {{ insert: param, ac-3.3_prm_3 }} such that they are not limited by some... | — | — | ||||||||||||||||||
| └ ac-3.4.(a) | Pass the information to any other subjects or objects; | — | — | ||||||||||||||||||
| └ ac-3.4.(b) | Grant its privileges to other subjects; | — | — | ||||||||||||||||||
| └ ac-3.4.(c) | Change security attributes on subjects, objects, the information system, or the information system’s components; | — | — | ||||||||||||||||||
| └ ac-3.4.(d) | Choose the security attributes to be associated with newly created or revised objects; or | — | — | ||||||||||||||||||
| └ ac-3.4.(e) | Change the rules governing access control. | — | — | ||||||||||||||||||
| └ ac-3.9.(a) | The receiving {{ insert: param, ac-3.9_prm_1 }} provides {{ insert: param, ac-3.9_prm_2 }}; and | — | — | ||||||||||||||||||
| └ ac-3.9.(b) | {{ insert: param, ac-3.9_prm_3 }} are used to validate the appropriateness of the information designated for release. | — | — | ||||||||||||||||||
| └ ac-5a | Separates {{ insert: param, ac-5_prm_1 }}; | — | — | ||||||||||||||||||
| └ ac-5b | Documents separation of duties of individuals; and | — | — | ||||||||||||||||||
| └ ac-5c | Defines information system access authorizations to support separation of duties. | — | — | ||||||||||||||||||
| └ ac-6.7.(a) | Reviews {{ insert: param, ac-6.7_prm_1 }} the privileges assigned to {{ insert: param, ac-6.7_prm_2 }} to validate the need for such privileges; and | — | — | ||||||||||||||||||
| └ ac-6.7.(b) | Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. | — | — | ||||||||||||||||||
| └ ac-7a | Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and | — | — | ||||||||||||||||||
| └ ac-7b | Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded. | — | — | ||||||||||||||||||
| └ ac-8a | Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with a... | — | — | ||||||||||||||||||
| └ ac-8a.1 | Users are accessing a U.S. Government information system; | — | — | ||||||||||||||||||
| └ ac-8a.2 | Information system usage may be monitored, recorded, and subject to audit; | — | — | ||||||||||||||||||
| └ ac-8a.3 | Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and | — | — | ||||||||||||||||||
| └ ac-8a.4 | Use of the information system indicates consent to monitoring and recording; | — | — | ||||||||||||||||||
| └ ac-8b | Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or fur... | — | — | ||||||||||||||||||
| └ ac-8c | For publicly accessible systems: | — | — | ||||||||||||||||||
| └ ac-8c.1 | Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access; | — | — | ||||||||||||||||||
| └ ac-8c.2 | Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally ... | — | — | ||||||||||||||||||
| └ ac-8c.3 | Includes a description of the authorized uses of the system. | — | — |