SPARC

Access Control

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 272

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

AC-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}: 1. {{ insert: param, ac-01_odp.03 }} access control policy that: (a) Addresses purpose, scope, roles, responsib...

► View parameters

Param ID	Label	Constraint / Choices
ac-1_prm_1	organization-defined personnel or roles	Organization-defined
ac-01_odp.01	personnel or roles	personnel or roles to whom the access control policy is to be disseminated is/are defined;
ac-01_odp.02	personnel or roles	personnel or roles to whom the access control procedures are to be disseminated is/are defined;
ac-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ac-01_odp.04	official	an official to manage the access control policy and procedures is defined;
ac-01_odp.05	frequency	the frequency at which the current access control policy is reviewed and updated is defined;
ac-01_odp.06	events	events that would require the current access control policy to be reviewed and updated are defined;
ac-01_odp.07	frequency	the frequency at which the current access control procedures are reviewed and updated is defined;
ac-01_odp.08	events	events that would require procedures to be reviewed and updated are defined;

—

AC-02

Account Management 10 params

a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require {{ insert: param, ac-02_odp.01 }} for group ...

► View parameters

Param ID	Label	Constraint / Choices
ac-02_odp.01	prerequisites and criteria	prerequisites and criteria for group and role membership are defined;
ac-02_odp.02	attributes (as required)	attributes (as required) for each account are defined;
ac-02_odp.03	personnel or roles	personnel or roles required to approve requests to create accounts is/are defined;
ac-02_odp.04	policy, procedures, prerequisites, and criteria	policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal ...
ac-02_odp.05	personnel or roles	personnel or roles to be notified is/are defined;
ac-02_odp.06	time period	time period within which to notify account managers when accounts are no longer required is defined;
ac-02_odp.07	time period	time period within which to notify account managers when users are terminated or transferred is defined;
ac-02_odp.08	time period	time period within which to notify account managers when system usage or the need to know changes for an individual i...
ac-02_odp.09	attributes (as required)	attributes needed to authorize system access (as required) are defined;
ac-02_odp.10	frequency	the frequency of account review is defined;

—

AC-02(01)

Automated System Account Management 1 param

Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.01_odp	automated mechanisms	automated mechanisms used to support the management of system accounts are defined;

—

AC-02(02)

Automated Temporary and Emergency Account Management 2 params

Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.02_odp.01		Select one: remove; disable
ac-02.02_odp.02	time period	the time period after which to automatically remove or disable temporary or emergency accounts is defined;

—

AC-02(03)

Disable Accounts 2 params

Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizationa...

► View parameters

Param ID	Label	Constraint / Choices
ac-02.03_odp.01	time period	time period within which to disable accounts is defined;
ac-02.03_odp.02	time period	time period for account inactivity before disabling is defined;

—

AC-02(04)

Automated Audit Actions

Automatically audit account creation, modification, enabling, disabling, and removal actions.

—

AC-02(05)

Inactivity Logout 1 param

Require that users log out when {{ insert: param, ac-02.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.05_odp	time period of expected inactivity or description of when to log out	the time period of expected inactivity or description of when to log out is defined;

—

AC-02(06)

Dynamic Privilege Management 1 param

Implement {{ insert: param, ac-02.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.06_odp	dynamic privilege management capabilities	dynamic privilege management capabilities are defined;

—

AC-02(07)

Privileged User Accounts 1 param

(a) Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }}; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles ...

► View parameters

Param ID	Label	Constraint / Choices
ac-02.07_odp		Select one: a role-based access scheme; an attribute-based access scheme

—

AC-02(08)

Dynamic Account Management 1 param

Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.08_odp	system accounts	system accounts that are dynamically created, activated, managed, and deactivated are defined;

—

AC-02(09)

Restrictions on Use of Shared and Group Accounts 1 param

Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.09_odp	conditions	conditions for establishing shared and group accounts are defined;

—

AC-02(10)

Shared and Group Account Credential Change

—

AC-02(11)

Usage Conditions 2 params

Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.11_odp.01	circumstances and/or usage conditions	circumstances and/or usage conditions to be enforced for system accounts are defined;
ac-02.11_odp.02	system accounts	system accounts subject to enforcement of circumstances and/or usage conditions are defined;

—

AC-02(12)

Account Monitoring for Atypical Usage 2 params

(a) Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and (b) Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.12_odp.01	atypical usage	atypical usage for which to monitor system accounts is defined;
ac-02.12_odp.02	personnel or roles	personnel or roles to report atypical usage is/are defined;

—

AC-02(13)

Disable Accounts for High-risk Individuals 2 params

Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-02.13_odp.01	time period	time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;
ac-02.13_odp.02	significant risks	significant risks leading to disabling accounts are defined;

—

AC-03

Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

—

AC-03(01)

Restricted Access to Privileged Functions

—

AC-03(02)

Dual Authorization 1 param

Enforce dual authorization for {{ insert: param, ac-03.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.02_odp	privileged commands and/or other actions	privileged commands and/or other actions requiring dual authorization are defined;

—

AC-03(03)

Mandatory Access Control 5 params

Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and obj...

► View parameters

Param ID	Label	Constraint / Choices
ac-3.3_prm_1	organization-defined mandatory access control policy	Organization-defined
ac-03.03_odp.01	mandatory access control policy	mandatory access control policy enforced over the set of covered subjects is defined;
ac-03.03_odp.02	mandatory access control policy	mandatory access control policy enforced over the set of covered objects is defined;
ac-03.03_odp.03	subjects	subjects to be explicitly granted privileges are defined;
ac-03.03_odp.04	privileges	privileges to be explicitly granted to subjects are defined;

—

AC-03(04)

Discretionary Access Control 3 params

Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to informa...

► View parameters

Param ID	Label	Constraint / Choices
ac-3.4_prm_1	organization-defined discretionary access control policy	Organization-defined
ac-03.04_odp.01	discretionary access control policy	discretionary access control policy enforced over the set of covered subjects is defined;
ac-03.04_odp.02	discretionary access control policy	discretionary access control policy enforced over the set of covered objects is defined;

—

AC-03(05)

Security-relevant Information 1 param

Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.05_odp	security-relevant information	security-relevant information to which access is prevented except during secure, non-operable system states is defined;

—

AC-03(06)

Protection of User and System Information

—

AC-03(07)

Role-based Access Control 3 params

Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-3.7_prm_1	organization-defined roles and users authorized to assume such roles	Organization-defined
ac-03.07_odp.01	roles	roles upon which to base control of access are defined;
ac-03.07_odp.02	users authorized to assume such roles	users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;

—

AC-03(08)

Revocation of Access Authorizations 1 param

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.08_odp	rules	rules governing the timing of revocations of access authorizations are defined;

—

AC-03(09)

Controlled Release 3 params

Release information outside of the system only if: (a) The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and (b) {{ insert: param, ac-03.09_odp....

► View parameters

Param ID	Label	Constraint / Choices
ac-03.09_odp.01	system or system component	the outside system or system component to which to release information is defined;
ac-03.09_odp.02	controls	controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;
ac-03.09_odp.03	controls	controls used to validate appropriateness of information to be released are defined;

—

AC-03(10)

Audited Override of Access Control Mechanisms 2 params

Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.10_odp.01	conditions	conditions under which to employ an audited override of automated access control mechanisms are defined;
ac-03.10_odp.02	roles	roles allowed to employ an audited override of automated access control mechanisms are defined;

—

AC-03(11)

Restrict Access to Specific Information Types 1 param

Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.11_odp	information types	information types requiring restricted access to data repositories are defined;

—

AC-03(12)

Assert and Enforce Application Access 1 param

(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }}; (b) Provide an ...

► View parameters

Param ID	Label	Constraint / Choices
ac-03.12_odp	system applications and functions	system applications and functions requiring access assertion are defined;

—

AC-03(13)

Attribute-based Access Control 1 param

Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.13_odp	attributes	attributes to assume access permissions are defined;

—

AC-03(14)

Individual Access 2 params

Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-03.14_odp.01	mechanisms	mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;
ac-03.14_odp.02	elements	elements of personally identifiable information to which individuals have access are defined;

—

AC-03(15)

Discretionary and Mandatory Access Control 6 params

(a) Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and (b) Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered s...

► View parameters

Param ID	Label	Constraint / Choices
ac-3.15_prm_1	organization-defined mandatory access control policy	Organization-defined
ac-3.15_prm_2	organization-defined discretionary access control policy	Organization-defined
ac-03.15_odp.01	mandatory access control policy	a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;
ac-03.15_odp.02	mandatory access control policy	a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;
ac-03.15_odp.03	discretionary access control policy	a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;
ac-03.15_odp.04	discretionary access control policy	a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;

—

AC-04

Information Flow Enforcement 1 param

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04_odp	information flow control policies	information flow control policies within the system and between connected systems are defined;

—

AC-04(01)

Object Security and Privacy Attributes 11 params

Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.1_prm_1	organization-defined security and privacy attributes	Organization-defined
ac-4.1_prm_2	organization-defined information, source, and destination objects	Organization-defined
ac-04.01_odp.01	security attributes	security attributes to be associated with information, source, and destination objects are defined;
ac-04.01_odp.02	privacy attributes	privacy attributes to be associated with information, source, and destination objects are defined;
ac-04.01_odp.03	information objects	information objects to be associated with information security attributes are defined;
ac-04.01_odp.04	information objects	information objects to be associated with privacy attributes are defined;
ac-04.01_odp.05	source objects	source objects to be associated with information security attributes are defined;
ac-04.01_odp.06	source objects	source objects to be associated with privacy attributes are defined;
ac-04.01_odp.07	destination objects	destination objects to be associated with information security attributes are defined;
ac-04.01_odp.08	destination objects	destination objects to be associated with privacy attributes are defined;
ac-04.01_odp.09	information flow control policies	information flow control policies as a basis for enforcement of flow control decisions are defined;

—

AC-04(02)

Processing Domains 1 param

Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.02_odp	information flow control policies	information flow control policies to be enforced by use of protected processing domains are defined;

—

AC-04(03)

Dynamic Information Flow Control 1 param

Enforce {{ insert: param, ac-04.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.03_odp	information flow control policies	information flow control policies to be enforced are defined;

—

AC-04(04)

Flow Control of Encrypted Information 3 params

Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.04_odp.01	information flow control mechanisms	information flow control mechanisms that encrypted information is prevented from bypassing are defined;
ac-04.04_odp.02		Select one-or-more: decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; {{ insert: param, ac-04.04_odp.03 }}
ac-04.04_odp.03	organization-defined procedure or method	the organization-defined procedure or method used to prevent encrypted information from bypassing information flow co...

—

AC-04(05)

Embedded Data Types 1 param

Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.05_odp	limitations	limitations on embedding data types within other data types are defined;

—

AC-04(06)

Metadata 1 param

Enforce information flow control based on {{ insert: param, ac-04.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.06_odp	metadata	metadata on which to base enforcement of information flow control is defined;

—

AC-04(07)

One-way Flow Mechanisms

Enforce one-way information flows through hardware-based flow control mechanisms.

—

AC-04(08)

Security and Privacy Policy Filters 10 params

(a) Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and (b) {{ insert: param, ac-04.08_odp...

► View parameters

Param ID	Label	Constraint / Choices
ac-4.8_prm_1	organization-defined security or privacy policy filters	Organization-defined
ac-4.8_prm_2	organization-defined information flows	Organization-defined
ac-4.8_prm_4	organization-defined security or privacy policy	Organization-defined
ac-04.08_odp.01	security policy filter	security policy filters to be used as a basis for enforcing information flow control are defined;
ac-04.08_odp.02	privacy policy filter	privacy policy filters to be used as a basis for enforcing information flow control are defined;
ac-04.08_odp.03	information flows	information flows for which information flow control is enforced by security filters are defined;
ac-04.08_odp.04	information flows	information flows for which information flow control is enforced by privacy filters are defined;
ac-04.08_odp.05		Select one-or-more: block; strip; modify; quarantine
ac-04.08_odp.06	security policy	security policy identifying actions to be taken after a filter processing failure are defined;
ac-04.08_odp.07	privacy policy	privacy policy identifying actions to be taken after a filter processing failure are defined;

—

AC-04(09)

Human Reviews 2 params

Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.09_odp.01	information flows	information flows requiring the use of human reviews are defined;
ac-04.09_odp.02	conditions	conditions under which the use of human reviews for information flows are to be enforced are defined;

—

AC-04(10)

Enable and Disable Security or Privacy Policy Filters 6 params

Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.10_prm_1	organization-defined security or privacy policy filters	Organization-defined
ac-4.10_prm_2	organization-defined conditions	Organization-defined
ac-04.10_odp.01	security filters	security policy filters that privileged administrators have the capability to enable and disable are defined;
ac-04.10_odp.02	privacy filters	privacy policy filters that privileged administrators have the capability to enable and disable are defined;
ac-04.10_odp.03	conditions	conditions under which privileged administrators have the capability to enable and disable security policy filters ar...
ac-04.10_odp.04	conditions	conditions under which privileged administrators have the capability to enable and disable privacy policy filters are...

—

AC-04(11)

Configuration of Security or Privacy Policy Filters 3 params

Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.11_prm_1	organization-defined security or privacy policy filters	Organization-defined
ac-04.11_odp.01	security policy filters	security policy filters that privileged administrators have the capability to configure to support different security...
ac-04.11_odp.02	privacy policy filters	privacy policy filters that privileged administrators have the capability to configure to support different security ...

—

AC-04(12)

Data Type Identifiers 1 param

When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.12_odp	data type identifiers	data type identifiers to be used to validate data essential for information flow decisions are defined;

—

AC-04(13)

Decomposition into Policy-relevant Subcomponents 1 param

When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.13_odp	policy-relevant subcomponents	policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are...

—

AC-04(14)

Security or Privacy Policy Filter Constraints 3 params

When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.14_prm_1	organization-defined security or privacy policy filters	Organization-defined
ac-04.14_odp.01	security policy filters	security policy filters to be implemented that require fully enumerated formats restricting data structure and conten...
ac-04.14_odp.02	privacy policy filters	privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content...

—

AC-04(15)

Detection of Unsanctioned Information 4 params

When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in a...

► View parameters

Param ID	Label	Constraint / Choices
ac-4.15_prm_2	organization-defined security or privacy policy	Organization-defined
ac-04.15_odp.01	unsanctioned information	unsanctioned information to be detected is defined;
ac-04.15_odp.02	security policy	security policy that requires the transfer of unsanctioned information between different security domains to be prohi...
ac-04.15_odp.03	privacy policy	privacy policy that requires the transfer of organization-defined unsanctioned information between different security...

—

AC-04(16)

Information Transfers on Interconnected Systems

—

AC-04(17)

Domain Authentication 1 param

Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.17_odp		Select one-or-more: organization, system, application, service, individual

—

AC-04(18)

Security Attribute Binding

—

AC-04(19)

Validation of Metadata 3 params

When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.19_prm_1	organization-defined security or privacy policy filters	Organization-defined
ac-04.19_odp.01	security policy filters	security policy filters to be implemented on metadata are defined (if selected);
ac-04.19_odp.02	privacy policy filters	privacy policy filters to be implemented on metadata are defined (if selected);

—

AC-04(20)

Approved Solutions 2 params

Employ {{ insert: param, ac-04.20_odp.01 }} to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.20_odp.01	solutions in approved configurations	solutions in approved configurations to control the flow of information across security domains are defined;
ac-04.20_odp.02	information	information to be controlled when it flows across security domains is defined;

—

AC-04(21)

Physical or Logical Separation of Information Flows 4 params

Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-4.21_prm_1	organization-defined mechanisms and/or techniques	Organization-defined
ac-04.21_odp.01	mechanisms and/or techniques	mechanisms and/or techniques used to logically separate information flows are defined (if selected);
ac-04.21_odp.02	mechanisms and/or techniques	mechanisms and/or techniques used to physically separate information flows are defined (if selected);
ac-04.21_odp.03	required separations	required separations by types of information are defined;

—

AC-04(22)

Access Only

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security d...

—

AC-04(23)

Modify Non-releasable Information 1 param

When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.23_odp	modification action	modification action implemented on non-releasable information is defined;

—

AC-04(24)

Internal Normalized Format

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

—

AC-04(25)

Data Sanitization 2 params

When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-04.25_odp.01		Select one-or-more: delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data; spillage of sensitive information
ac-04.25_odp.02	policy	policy for sanitizing data is defined;

—

AC-04(26)

Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

—

AC-04(27)

Redundant/Independent Filtering Mechanisms

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

—

AC-04(28)

Linear Filter Pipelines

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

—

AC-04(29)

Filter Orchestration Engines 1 param

When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution with...

► View parameters

Param ID	Label	Constraint / Choices
ac-04.29_odp	policy	policy for content-filtering actions is defined;

—

AC-04(30)

Filter Mechanisms Using Multiple Processes

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

—

AC-04(31)

Failed Content Transfer Prevention

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

—

AC-04(32)

Process Requirements for Information Transfer

When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering m...

—

AC-05

Separation of Duties 1 param

a. Identify and document {{ insert: param, ac-05_odp }} ; and b. Define system access authorizations to support separation of duties.

► View parameters

Param ID	Label	Constraint / Choices
ac-05_odp	duties of individuals	duties of individuals requiring separation are defined;

—

AC-06

Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

—

AC-06(01)

Authorize Access to Security Functions 6 params

Authorize access for {{ insert: param, ac-06.01_odp.01 }} to: (a) {{ insert: param, ac-6.1_prm_2 }} ; and (b) {{ insert: param, ac-06.01_odp.05 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-6.1_prm_2	organization-defined security functions (deployed in hardware, software, and firmware)	Organization-defined
ac-06.01_odp.01	individuals and roles	individuals and roles with authorized access to security functions and security-relevant information are defined;
ac-06.01_odp.02	security functions (deployed in hardware)	security functions (deployed in hardware) for authorized access are defined;
ac-06.01_odp.03	security functions (deployed in software)	security functions (deployed in software) for authorized access are defined;
ac-06.01_odp.04	security functions (deployed in firmware)	security functions (deployed in firmware) for authorized access are defined;
ac-06.01_odp.05	security-relevant information	security-relevant information for authorized access is defined;

—

AC-06(02)

Non-privileged Access for Nonsecurity Functions 1 param

Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.

► View parameters

Param ID	Label	Constraint / Choices
ac-06.02_odp	security functions or security-relevant information	security functions or security-relevant information, the access to which requires users to use non-privileged account...

—

AC-06(03)

Network Access to Privileged Commands 2 params

Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system.

► View parameters

Param ID	Label	Constraint / Choices
ac-06.03_odp.01	privileged commands	privileged commands to which network access is to be authorized only for compelling operational needs are defined;
ac-06.03_odp.02	compelling operational needs	compelling operational needs necessitating network access to privileged commands are defined;

—

AC-06(04)

Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

—

AC-06(05)

Privileged Accounts 1 param

Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-06.05_odp	personnel or roles	personnel or roles to which privileged accounts on the system are to be restricted is/are defined;

—

AC-06(06)

Privileged Access by Non-organizational Users

Prohibit privileged access to the system by non-organizational users.

—

AC-06(07)

Review of User Privileges 2 params

(a) Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and (b) Reassign or remove privileges, ...

► View parameters

Param ID	Label	Constraint / Choices
ac-06.07_odp.01	frequency	the frequency at which to review the privileges assigned to roles or classes of users is defined;
ac-06.07_odp.02	roles and classes	roles or classes of users to which privileges are assigned are defined;

—

AC-06(08)

Privilege Levels for Code Execution 1 param

Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-06.08_odp	software	software to be prevented from executing at higher privilege levels than users executing the software is defined;

—

AC-06(09)

Log Use of Privileged Functions

Log the execution of privileged functions.

—

AC-06(10)

Prohibit Non-privileged Users from Executing Privileged Functions

Prevent non-privileged users from executing privileged functions.

—

AC-07

Unsuccessful Logon Attempts 6 params

a. Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and b. Automatically {{ insert: param, ac-07_od...

► View parameters

Param ID	Label	Constraint / Choices
ac-07_odp.01	number	the number of consecutive invalid logon attempts by a user allowed during a time period is defined;
ac-07_odp.02	time period	the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;
ac-07_odp.03		Select one-or-more: lock the account or node for {{ insert: param, ac-07_odp.04 }} ; lock the account or node until released by an administrator; delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ; notify system administrator; take other {{ insert: param, ac-07_odp.06 }}
ac-07_odp.04	time period	time period for an account or node to be locked is defined (if selected);
ac-07_odp.05	delay algorithm	delay algorithm for the next logon prompt is defined (if selected);
ac-07_odp.06	action	other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

—

AC-07(01)

Automatic Account Lock

—

AC-07(02)

Purge or Wipe Mobile Device 3 params

Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon a...

► View parameters

Param ID	Label	Constraint / Choices
ac-07.02_odp.01	mobile devices	mobile devices to be purged or wiped of information are defined;
ac-07.02_odp.02	purging or wiping requirements and techniques	purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are ...
ac-07.02_odp.03	number	the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices ...

—

AC-07(03)

Biometric Attempt Limiting 1 param

Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-07.03_odp	number	the number of unsuccessful biometric logon attempts is defined;

—

AC-07(04)

Use of Alternate Authentication Factor 3 params

(a) Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts ha...

► View parameters

Param ID	Label	Constraint / Choices
ac-07.04_odp.01	authentication factors	authentication factors allowed to be used that are different from the primary authentication factors are defined;
ac-07.04_odp.02	number	the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit...
ac-07.04_odp.03	time period	time period during which a user can attempt logons through alternative factors is defined;

—

AC-08

System Use Notification 2 params

a. Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives...

► View parameters

Param ID	Label	Constraint / Choices
ac-08_odp.01	system use notification	system use notification message or banner to be displayed by the system to users before granting access to the system...
ac-08_odp.02	conditions	conditions for system use to be displayed by the system before granting further access are defined;

—

AC-09

Previous Logon Notification

Notify the user, upon successful logon to the system, of the date and time of the last logon.

—

AC-09(01)

Unsuccessful Logons

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

—

AC-09(02)

Successful and Unsuccessful Logons 2 params

Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-09.02_odp.01		Select one: successful logons; unsuccessful logon attempts; both
ac-09.02_odp.02	time period	the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempt...

—

AC-09(03)

Notification of Account Changes 2 params

Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-09.03_odp.01	security-related characteristics or parameters	changes to security-related characteristics or parameters of the user’s account that require notification are defined;
ac-09.03_odp.02	time period	the time period for which the system notifies the user of changes to security-related characteristics or parameters o...

—

AC-09(04)

Additional Logon Information 1 param

Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-09.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-09.04_odp	additional information	additional information about which to notify the user is defined;

—

AC-10

Concurrent Session Control 2 params

Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-10_odp.01	account and/or account types	accounts and/or account types for which to limit the number of concurrent sessions is defined;
ac-10_odp.02	number	the number of concurrent sessions to be allowed for each account and/or account type is defined;

—

AC-11

Device Lock 2 params

a. Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and b. Retain the device lock until the user reestablishes access using established identification and authenticat...

► View parameters

Param ID	Label	Constraint / Choices
ac-11_odp.01		Select one-or-more: initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity; requiring the user to initiate a device lock before leaving the system unattended
ac-11_odp.02	time period	time period of inactivity after which a device lock is initiated is defined (if selected);

—

AC-11(01)

Pattern-hiding Displays

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

—

└ ac-11a

Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and

—

└ ac-11b

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

—

AC-12

Session Termination 1 param

Automatically terminate a user session after {{ insert: param, ac-12_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-12_odp	conditions or trigger events	conditions or trigger events requiring session disconnect are defined;

—

AC-12(01)

User-initiated Logouts 1 param

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-12.01_odp	information resources	information resources for which a logout capability for user-initiated communications sessions is required are defined;

—

AC-12(02)

Termination Message

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

—

AC-12(03)

Timeout Warning Message 1 param

Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-12.03_odp	time	time until the end of session for display to users is defined;

—

AC-13

Supervision and Review — Access Control

—

AC-14

Permitted Actions Without Identification or Authentication 1 param

a. Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Doc...

► View parameters

Param ID	Label	Constraint / Choices
ac-14_odp	user actions	user actions that can be performed on the system without identification or authentication are defined;

—

AC-14(01)

Necessary Uses

—

└ ac-14a

Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational...

—

└ ac-14b

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

—

AC-15

Automated Marking

—

AC-16

Security and Privacy Attributes 17 params

a. Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission; b. Ensure that the attri...

► View parameters

Param ID	Label	Constraint / Choices
ac-16_prm_1	organization-defined types of security and privacy attributes	Organization-defined
ac-16_prm_2	organization-defined security and privacy attribute values	Organization-defined
ac-16_prm_3	organization-defined systems	Organization-defined
ac-16_prm_4	organization-defined security and privacy attributes	Organization-defined
ac-16_prm_6	organization-defined security and privacy attributes	Organization-defined
ac-16_prm_7	organization-defined frequency	Organization-defined
ac-16_odp.01	types of security attributes	types of security attributes to be associated with information security attribute values for information in storage, ...
ac-16_odp.02	types of privacy attributes	types of privacy attributes to be associated with privacy attribute values for information in storage, in process, an...
ac-16_odp.03	security attribute values	security attribute values for types of security attributes are defined;
ac-16_odp.04	privacy attribute values	privacy attribute values for types of privacy attributes are defined;
ac-16_odp.05	systems	systems for which permitted security attributes are to be established are defined;
ac-16_odp.06	systems	systems for which permitted privacy attributes are to be established are defined;
ac-16_odp.07	security attributes	security attributes defined as part of AC-16a that are permitted for systems are defined;
ac-16_odp.08	privacy attributes	privacy attributes defined as part of AC-16a that are permitted for systems are defined;
ac-16_odp.09	attribute values or ranges	attribute values or ranges for established attributes are defined;
ac-16_odp.10	frequency	the frequency at which to review security attributes for applicability is defined;
ac-16_odp.11	frequency	the frequency at which to review privacy attributes for applicability is defined;

—

AC-16(01)

Dynamic Attribute Association 8 params

Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: ...

► View parameters

Param ID	Label	Constraint / Choices
ac-16.1_prm_1	organization-defined subjects and objects	Organization-defined
ac-16.1_prm_2	organization-defined security and privacy policies	Organization-defined
ac-16.01_odp.01	subjects	subjects with which security attributes are to be dynamically associated as information is created and combined are d...
ac-16.01_odp.02	objects	objects with which security attributes are to be dynamically associated as information is created and combined are de...
ac-16.01_odp.03	subjects	subjects with which privacy attributes are to be dynamically associated as information is created and combined are de...
ac-16.01_odp.04	objects	objects with which privacy attributes are to be dynamically associated as information is created and combined are def...
ac-16.01_odp.05	security policies	security policies requiring dynamic association of security attributes with subjects and objects are defined;
ac-16.01_odp.06	privacy policies	privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;

—

AC-16(02)

Attribute Value Changes by Authorized Individuals

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

—

AC-16(03)

Maintenance of Attribute Associations by System 8 params

Maintain the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-16.3_prm_1	organization-defined security and privacy attributes	Organization-defined
ac-16.3_prm_2	organization-defined subjects and objects	Organization-defined
ac-16.03_odp.01	security attributes	security attributes that require association and integrity maintenance are defined;
ac-16.03_odp.02	privacy attributes	privacy attributes that require association and integrity maintenance are defined;
ac-16.03_odp.03	subjects	subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;
ac-16.03_odp.04	objects	objects requiring the association and integrity of security attributes to such objects to be maintained are defined;
ac-16.03_odp.05	subjects	subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;
ac-16.03_odp.06	objects	objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;

—

AC-16(04)

Association of Attributes by Authorized Individuals 10 params

Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals).

► View parameters

Param ID	Label	Constraint / Choices
ac-16.4_prm_1	organization-defined security and privacy attributes	Organization-defined
ac-16.4_prm_2	organization-defined subjects and objects	Organization-defined
ac-16.04_odp.01	security attributes	security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of indivi...
ac-16.04_odp.02	security attributes	security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individ...
ac-16.04_odp.03	privacy attributes	privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individ...
ac-16.04_odp.04	privacy attributes	privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individu...
ac-16.04_odp.05	subjects	subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of...
ac-16.04_odp.06	objects	objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of ...
ac-16.04_odp.07	subjects	subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of ...
ac-16.04_odp.08	objects	objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of i...

—

AC-16(05)

Attribute Displays on Objects to Be Output 2 params

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac...

► View parameters

Param ID	Label	Constraint / Choices
ac-16.05_odp.01	instructions	special dissemination, handling, or distribution instructions to be used for each object that the system transmits to...
ac-16.05_odp.02	naming conventions	human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable...

—

AC-16(06)

Maintenance of Attribute Association 13 params

Require personnel to associate and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16.6_prm_3 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-16.6_prm_1	organization-defined security and privacy attributes	Organization-defined
ac-16.6_prm_2	organization-defined subjects and objects	Organization-defined
ac-16.6_prm_3	organization-defined security and privacy policies	Organization-defined
ac-16.06_odp.01	security attributes	security attributes to be associated with subjects are defined;
ac-16.06_odp.02	security attributes	security attributes to be associated with objects are defined;
ac-16.06_odp.03	privacy attributes	privacy attributes to be associated with subjects are defined;
ac-16.06_odp.04	privacy attributes	privacy attributes to be associated with objects are defined;
ac-16.06_odp.05	subjects	subjects to be associated with information security attributes are defined;
ac-16.06_odp.06	objects	objects to be associated with information security attributes are defined;
ac-16.06_odp.07	subjects	subjects to be associated with privacy attributes are defined;
ac-16.06_odp.08	objects	objects to be associated with privacy attributes are defined;
ac-16.06_odp.09	security policies	security policies that require personnel to associate and maintain the association of security and privacy attributes...
ac-16.06_odp.10	privacy policies	privacy policies that require personnel to associate and maintain the association of security and privacy attributes ...

—

AC-16(07)

Consistent Attribute Interpretation

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

—

AC-16(08)

Association Techniques and Technologies 3 params

Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information.

► View parameters

Param ID	Label	Constraint / Choices
ac-16.8_prm_1	organization-defined techniques and technologies	Organization-defined
ac-16.08_odp.01	techniques and technologies	techniques and technologies to be implemented in associating security attributes to information are defined;
ac-16.08_odp.02	techniques and technologies	techniques and technologies to be implemented in associating privacy attributes to information are defined;

—

AC-16(09)

Attribute Reassignment — Regrading Mechanisms 3 params

Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-16.9_prm_1	organization-defined techniques or procedures	Organization-defined
ac-16.09_odp.01	techniques or procedures	techniques or procedures used to validate regrading mechanisms for security attributes are defined;
ac-16.09_odp.02	techniques or procedures	techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;

—

AC-16(10)

Attribute Configuration by Authorized Individuals

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

—

└ ac-16a

Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/o...

—

└ ac-16b

Ensure that the attribute associations are made and retained with the information;

—

└ ac-16c

Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16...

—

└ ac-16d

Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }};

—

└ ac-16e

Audit changes to attributes; and

—

└ ac-16f

Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}.

—

AC-17

Remote Access

a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote acc...

—

AC-17(01)

Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

—

AC-17(02)

Protection of Confidentiality and Integrity Using Encryption

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

—

AC-17(03)

Managed Access Control Points

Route remote accesses through authorized and managed network access control points.

—

AC-17(04)

Privileged Commands and Access 3 params

(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{...

► View parameters

Param ID	Label	Constraint / Choices
ac-17.4_prm_1	organization-defined needs	Organization-defined
ac-17.04_odp.01	needs requiring remote access	needs requiring execution of privileged commands via remote access are defined;
ac-17.04_odp.02	needs requiring remote access	needs requiring access to security-relevant information via remote access are defined;

—

AC-17(05)

Monitoring for Unauthorized Connections

—

AC-17(06)

Protection of Mechanism Information

Protect information about remote access mechanisms from unauthorized use and disclosure.

—

AC-17(07)

Additional Protection for Security Function Access

—

AC-17(08)

Disable Nonsecure Network Protocols

—

AC-17(09)

Disconnect or Disable Access 1 param

Provide the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-17.09_odp	time period	the time period within which to disconnect or disable remote access to the system is defined;

—

AC-17(10)

Authenticate Remote Commands 2 params

Implement {{ insert: param, ac-17.10_odp.01 }} to authenticate {{ insert: param, ac-17.10_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-17.10_odp.01	mechanisms	mechanisms implemented to authenticate remote commands are defined;
ac-17.10_odp.02	remote commands	remote commands to be authenticated by mechanisms are defined;

—

└ ac-17.4.(a)

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessa...

—

└ ac-17.4.(b)

Document the rationale for remote access in the security plan for the system.

—

└ ac-17a

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowe...

—

└ ac-17b

Authorize each type of remote access to the system prior to allowing such connections.

—

AC-18

Wireless Access

a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior...

—

AC-18(01)

Authentication and Encryption 1 param

Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption.

► View parameters

Param ID	Label	Constraint / Choices
ac-18.01_odp		Select one-or-more: users; devices

—

AC-18(02)

Monitoring Unauthorized Connections

—

AC-18(03)

Disable Wireless Networking

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

—

AC-18(04)

Restrict Configurations by Users

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

—

AC-18(05)

Antennas and Transmission Power Levels

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

—

└ ac-18a

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

—

└ ac-18b

Authorize each type of wireless access to the system prior to allowing such connections.

—

AC-19

Access Control for Mobile Devices

a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled ar...

—

AC-19(01)

Use of Writable and Portable Storage Devices

—

AC-19(02)

Use of Personally Owned Portable Storage Devices

—

AC-19(03)

Use of Portable Storage Devices with No Identifiable Owner

—

AC-19(04)

Restrictions for Classified Information 2 params

(a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing o...

► View parameters

Param ID	Label	Constraint / Choices
ac-19.04_odp.01	security officials	security officials responsible for the review and inspection of unclassified mobile devices and the information store...
ac-19.04_odp.02	security policies	security policies restricting the connection of classified mobile devices to classified systems are defined;

—

AC-19(05)

Full Device or Container-based Encryption 2 params

Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-19.05_odp.01		Select one: full-device encryption; container-based encryption
ac-19.05_odp.02	mobile devices	mobile devices on which to employ encryption are defined;

—

└ ac-19.4.(a)

Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless...

—

└ ac-19.4.(b)

Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing...

—

└ ac-19.4.(b).(1)

Connection of unclassified mobile devices to classified systems is prohibited;

—

└ ac-19.4.(b).(2)

Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;

—

└ ac-19.4.(b).(3)

Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and

—

└ ac-19.4.(b).(4)

Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04...

—

└ ac-19.4.(c)

Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}.

—

└ ac-19a

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include w...

—

└ ac-19b

Authorize the connection of mobile devices to organizational systems.

—

└ ac-1a

Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:

—

└ ac-1a.1

{{ insert: param, ac-01_odp.03 }} access control policy that:

—

└ ac-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ac-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ac-1a.2

Procedures to facilitate the implementation of the access control policy and the associated access controls;

—

└ ac-1b

Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedu...

—

└ ac-1c

Review and update the current access control:

—

└ ac-1c.1

Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and

—

└ ac-1c.2

Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.

—

AC-20

Use of External Systems 4 params

a. {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized ind...

► View parameters

Param ID	Label	Constraint / Choices
ac-20_odp.01		Select one-or-more: establish {{ insert: param, ac-20_odp.02 }} ; identify {{ insert: param, ac-20_odp.03 }}
ac-20_odp.02	terms and conditions	terms and conditions consistent with the trust relationships established with other organizations owning, operating, ...
ac-20_odp.03	controls asserted	controls asserted to be implemented on external systems consistent with the trust relationships established with othe...
ac-20_odp.04	prohibited types of external systems	types of external systems prohibited from use are defined;

—

AC-20(01)

Limits on Authorized Use

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementati...

—

AC-20(02)

Portable Storage Devices — Restricted Use 1 param

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-20.02_odp	restrictions	restrictions on the use of organization-controlled portable storage devices by authorized individuals on external sys...

—

AC-20(03)

Non-organizationally Owned Systems — Restricted Use 1 param

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using {{ insert: param, ac-20.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-20.03_odp	restrictions	restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit org...

—

AC-20(04)

Network Accessible Storage Devices — Prohibited Use 1 param

Prohibit the use of {{ insert: param, ac-20.04_odp }} in external systems.

► View parameters

Param ID	Label	Constraint / Choices
ac-20.04_odp	network-accessible storage devices	network-accessible storage devices prohibited from use in external systems are defined;

—

AC-20(05)

Portable Storage Devices — Prohibited Use

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

—

└ ac-20.1.(a)

Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security...

—

└ ac-20.1.(b)

Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

—

└ ac-20a

{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintain...

—

└ ac-20a.1

Access the system from external systems; and

—

└ ac-20a.2

Process, store, or transmit organization-controlled information using external systems; or

—

└ ac-20b

Prohibit the use of {{ insert: param, ac-20_odp.04 }}.

—

AC-21

Information Sharing 2 params

a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and...

► View parameters

Param ID	Label	Constraint / Choices
ac-21_odp.01	information-sharing circumstances	information-sharing circumstances where user discretion is required to determine whether access authorizations assign...
ac-21_odp.02	automated mechanisms	automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions ...

—

AC-21(01)

Automated Decision Support 1 param

Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be...

► View parameters

Param ID	Label	Constraint / Choices
ac-21.01_odp	automated mechanisms	automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;

—

AC-21(02)

Information Search and Retrieval 1 param

Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ac-21.02_odp	information-sharing restrictions	information-sharing restrictions to be enforced by information search and retrieval services are defined;

—

└ ac-2.12.(a)

Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and

—

└ ac-2.12.(b)

Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}.

—

└ ac-21a

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restriction...

—

└ ac-21b

Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions.

—

AC-22

Publicly Accessible Content 1 param

a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic informatio...

► View parameters

Param ID	Label	Constraint / Choices
ac-22_odp	frequency	the frequency at which to review the content on the publicly accessible system for non-public information is defined;

—

└ ac-22a

Designate individuals authorized to make information publicly accessible;

—

└ ac-22b

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

—

└ ac-22c

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not include...

—

└ ac-22d

Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if disco...

—

AC-23

Data Mining Protection 2 params

Employ {{ insert: param, ac-23_odp.01 }} for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining.

► View parameters

Param ID	Label	Constraint / Choices
ac-23_odp.01	techniques	data mining prevention and detection techniques are defined;
ac-23_odp.02	data storage objects	data storage objects to be protected against unauthorized data mining are defined;

—

└ ac-2.3.(a)

Have expired;

—

└ ac-2.3.(b)

Are no longer associated with a user or individual;

—

└ ac-2.3.(c)

Are in violation of organizational policy; or

—

└ ac-2.3.(d)

Have been inactive for {{ insert: param, ac-02.03_odp.02 }}.

—

AC-24

Access Control Decisions 2 params

{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.

► View parameters

Param ID	Label	Constraint / Choices
ac-24_odp.01		Select one-or-more: establish procedures; implement mechanisms
ac-24_odp.02	access control decisions	access control decisions applied to each access request prior to access enforcement are defined;

—

AC-24(01)

Transmit Access Authorization Information 3 params

Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.

► View parameters

Param ID	Label	Constraint / Choices
ac-24.01_odp.01	access authorization information	access authorization information transmitted to systems that enforce access control decisions is defined;
ac-24.01_odp.02	controls	controls to be used when authorization information is transmitted to systems that enforce access control decisions ar...
ac-24.01_odp.03	systems	systems that enforce access control decisions are defined;

—

AC-24(02)

No User or Process Identity 3 params

Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user.

► View parameters

Param ID	Label	Constraint / Choices
ac-24.2_prm_1	organization-defined security or privacy attributes	Organization-defined
ac-24.02_odp.01	security attributes	security attributes that do not include the identity of the user or process acting on behalf of the user are defined ...
ac-24.02_odp.02	privacy attributes	privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (...

—

AC-25

Reference Monitor 1 param

Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

► View parameters

Param ID	Label	Constraint / Choices
ac-25_odp	access control policies	access control policies for which a reference monitor is implemented are defined;

—

└ ac-2.7.(a)

Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};

—

└ ac-2.7.(b)

Monitor privileged role or attribute assignments;

—

└ ac-2.7.(c)

Monitor changes to roles or attributes; and

—

└ ac-2.7.(d)

Revoke access when privileged role or attribute assignments are no longer appropriate.

—

└ ac-2a

Define and document the types of accounts allowed and specifically prohibited for use within the system;

—

└ ac-2b

Assign account managers;

—

└ ac-2c

Require {{ insert: param, ac-02_odp.01 }} for group and role membership;

—

└ ac-2d

Specify:

—

└ ac-2d.1

Authorized users of the system;

—

└ ac-2d.2

Group and role membership; and

—

└ ac-2d.3

Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;

—

└ ac-2e

Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;

—

└ ac-2f

Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};

—

└ ac-2g

Monitor the use of accounts;

—

└ ac-2h

Notify account managers and {{ insert: param, ac-02_odp.05 }} within:

—

└ ac-2h.1

{{ insert: param, ac-02_odp.06 }} when accounts are no longer required;

—

└ ac-2h.2

{{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and

—

└ ac-2h.3

{{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;

—

└ ac-2i

Authorize access to the system based on:

—

└ ac-2i.1

A valid access authorization;

—

└ ac-2i.2

Intended system usage; and

—

└ ac-2i.3

{{ insert: param, ac-02_odp.09 }};

—

└ ac-2j

Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};

—

└ ac-2k

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

—

└ ac-2l

Align account management processes with personnel termination and transfer processes.

—

└ ac-3.12.(a)

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ inser...

—

└ ac-3.12.(b)

Provide an enforcement mechanism to prevent unauthorized access; and

—

└ ac-3.12.(c)

Approve access changes after initial installation of the application.

—

└ ac-3.15.(a)

Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and

—

└ ac-3.15.(b)

Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.

—

└ ac-3.3.(a)

Is uniformly enforced across the covered subjects and objects within the system;

—

└ ac-3.3.(b)

Specifies that a subject that has been granted access to information is constrained from doing any of the following;

—

└ ac-3.3.(b).(1)

Passing the information to unauthorized subjects or objects;

—

└ ac-3.3.(b).(2)

Granting its privileges to other subjects;

—

└ ac-3.3.(b).(3)

Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;

—

└ ac-3.3.(b).(4)

Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and

—

└ ac-3.3.(b).(5)

Changing the rules governing access control; and

—

└ ac-3.3.(c)

Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited b...

—

└ ac-3.4.(a)

Pass the information to any other subjects or objects;

—

└ ac-3.4.(b)

Grant its privileges to other subjects;

—

└ ac-3.4.(c)

Change security attributes on subjects, objects, the system, or the system’s components;

—

└ ac-3.4.(d)

Choose the security attributes to be associated with newly created or revised objects; or

—

└ ac-3.4.(e)

Change the rules governing access control.

—

└ ac-3.9.(a)

The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and

—

└ ac-3.9.(b)

{{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.

—

└ ac-4.29.(a)

Content filtering mechanisms successfully complete execution without errors; and

—

└ ac-4.29.(b)

Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}.

—

└ ac-4.32.(a)

Does not filter message content;

—

└ ac-4.32.(b)

Validates filtering metadata;

—

└ ac-4.32.(c)

Ensures the content associated with the filtering metadata has successfully completed filtering; and

—

└ ac-4.32.(d)

Transfers the content to the destination filter pipeline.

—

└ ac-4.8.(a)

Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }...

—

└ ac-4.8.(b)

{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}.

—

└ ac-5a

Identify and document {{ insert: param, ac-05_odp }} ; and

—

└ ac-5b

Define system access authorizations to support separation of duties.

—

└ ac-6.1.(a)

{{ insert: param, ac-6.1_prm_2 }} ; and

—

└ ac-6.1.(b)

{{ insert: param, ac-06.01_odp.05 }}.

—

└ ac-6.7.(a)

Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privilege...

—

└ ac-6.7.(b)

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

—

└ ac-7.4.(a)

Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-d...

—

└ ac-7.4.(b)

Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during ...

—

└ ac-7a

Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and

—

└ ac-7b

Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.

—

└ ac-8a

Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with ...

—

└ ac-8a.1

Users are accessing a U.S. Government system;

—

└ ac-8a.2

System usage may be monitored, recorded, and subject to audit;

—

└ ac-8a.3

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

—

└ ac-8a.4

Use of the system indicates consent to monitoring and recording;

—

└ ac-8b

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or furt...

—

└ ac-8c

For publicly accessible systems:

—

└ ac-8c.1

Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;

—

└ ac-8c.2

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally p...

—

└ ac-8c.3

Include a description of the authorized uses of the system.

—