OSCAL Profile / Baseline

testing

 •  HIGH  •  272 controls  •  Source: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures 1645df6a  •  Started
Created from Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures catalog
← Back
272
Selected Controls
272
P3
Priority by Control Family — click a badge to filter
AC
272 controls
272
Legend: P1 (High) P2 (Medium) P3 (Low) None
AC — Access Control 272
AC-1A P3
Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:
Parameters
ac-1_prm_1 organization-defined personnel or roles organization-defined personnel or roles
AC-1A(1) P3
{{ insert: param, ac-01_odp.03 }} access control policy that:
Parameters
ac-01_odp.03
Catalog options (one or more): organization-level, mission/business process-level, system-level
AC-1A(1).(A) P3
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
AC-1A(1).(B) P3
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
AC-1A(2) P3
Procedures to facilitate the implementation of the access control policy and the associated access controls;
AC-1B P3
Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and
Parameters
ac-01_odp.04 official official
AC-1C P3
Review and update the current access control:
AC-1C(1) P3
Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and
Parameters
ac-01_odp.05 frequency frequency
ac-01_odp.06 events events
AC-1C(2) P3
Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.
Parameters
ac-01_odp.07 frequency frequency
ac-01_odp.08 events events
AC-2(3).(A) P3
Have expired;
AC-2(3).(B) P3
Are no longer associated with a user or individual;
AC-2(3).(C) P3
Are in violation of organizational policy; or
AC-2(3).(D) P3
Have been inactive for {{ insert: param, ac-02.03_odp.02 }}.
Parameters
ac-02.03_odp.02 time period time period
AC-2(7).(A) P3
Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};
Parameters
ac-02.07_odp
Catalog options: a role-based access scheme, an attribute-based access scheme
AC-2(7).(B) P3
Monitor privileged role or attribute assignments;
AC-2(7).(C) P3
Monitor changes to roles or attributes; and
AC-2(7).(D) P3
Revoke access when privileged role or attribute assignments are no longer appropriate.
AC-2(12).(A) P3
Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and
Parameters
ac-02.12_odp.01 atypical usage atypical usage
AC-2(12).(B) P3
Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}.
Parameters
ac-02.12_odp.02 personnel or roles personnel or roles
AC-2A P3
Define and document the types of accounts allowed and specifically prohibited for use within the system;
AC-2B P3
Assign account managers;
AC-2C P3
Require {{ insert: param, ac-02_odp.01 }} for group and role membership;
Parameters
ac-02_odp.01 prerequisites and criteria prerequisites and criteria
AC-2D P3
Specify:
AC-2D(1) P3
Authorized users of the system;
AC-2D(2) P3
Group and role membership; and
AC-2D(3) P3
Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;
Parameters
ac-02_odp.02 attributes (as required) attributes (as required)
AC-2E P3
Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;
Parameters
ac-02_odp.03 personnel or roles personnel or roles
AC-2F P3
Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};
Parameters
ac-02_odp.04 policy, procedures, prerequisites, and criteria policy, procedures, prerequisites, and criteria
AC-2G P3
Monitor the use of accounts;
AC-2H P3
Notify account managers and {{ insert: param, ac-02_odp.05 }} within:
Parameters
ac-02_odp.05 personnel or roles personnel or roles
AC-2H(1) P3
{{ insert: param, ac-02_odp.06 }} when accounts are no longer required;
Parameters
ac-02_odp.06 time period time period
AC-2H(2) P3
{{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and
Parameters
ac-02_odp.07 time period time period
AC-2H(3) P3
{{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;
Parameters
ac-02_odp.08 time period time period
AC-2I P3
Authorize access to the system based on:
AC-2I(1) P3
A valid access authorization;
AC-2I(2) P3
Intended system usage; and
AC-2I(3) P3
{{ insert: param, ac-02_odp.09 }};
Parameters
ac-02_odp.09 attributes (as required) attributes (as required)
AC-2J P3
Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};
Parameters
ac-02_odp.10 frequency frequency
AC-2K P3
Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
AC-2L P3
Align account management processes with personnel termination and transfer processes.
AC-3(3).(A) P3
Is uniformly enforced across the covered subjects and objects within the system;
AC-3(3).(B) P3
Specifies that a subject that has been granted access to information is constrained from doing any of the following;
AC-3(3).(B).(1) P3
Passing the information to unauthorized subjects or objects;
AC-3(3).(B).(2) P3
Granting its privileges to other subjects;
AC-3(3).(B).(3) P3
Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
AC-3(3).(B).(4) P3
Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
AC-3(3).(B).(5) P3
Changing the rules governing access control; and
AC-3(3).(C) P3
Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constra...
Parameters
ac-03.03_odp.03 subjects subjects
ac-03.03_odp.04 privileges privileges
AC-3(4).(A) P3
Pass the information to any other subjects or objects;
AC-3(4).(B) P3
Grant its privileges to other subjects;
AC-3(4).(C) P3
Change security attributes on subjects, objects, the system, or the system’s components;
AC-3(4).(D) P3
Choose the security attributes to be associated with newly created or revised objects; or
AC-3(4).(E) P3
Change the rules governing access control.
AC-3(9).(A) P3
The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and
Parameters
ac-03.09_odp.01 system or system component system or system component
ac-03.09_odp.02 controls controls
AC-3(9).(B) P3
{{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.
Parameters
ac-03.09_odp.03 controls controls
AC-3(12).(A) P3
Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};
Parameters
ac-03.12_odp system applications and functions system applications and functions
AC-3(12).(B) P3
Provide an enforcement mechanism to prevent unauthorized access; and
AC-3(12).(C) P3
Approve access changes after initial installation of the application.
AC-3(15).(A) P3
Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and
Parameters
ac-3.15_prm_1 organization-defined mandatory access control policy organization-defined mandatory access control policy
AC-3(15).(B) P3
Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.
Parameters
ac-3.15_prm_2 organization-defined discretionary access control policy organization-defined discretionary access control policy
AC-4(8).(A) P3
Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and
Parameters
ac-4.8_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-4.8_prm_2 organization-defined information flows organization-defined information flows
AC-4(8).(B) P3
{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}.
Parameters
ac-4.8_prm_4 organization-defined security or privacy policy organization-defined security or privacy policy
ac-04.08_odp.05
Catalog options (one or more): block, strip, modify, quarantine
AC-4(29).(A) P3
Content filtering mechanisms successfully complete execution without errors; and
AC-4(29).(B) P3
Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}.
Parameters
ac-04.29_odp policy policy
AC-4(32).(A) P3
Does not filter message content;
AC-4(32).(B) P3
Validates filtering metadata;
AC-4(32).(C) P3
Ensures the content associated with the filtering metadata has successfully completed filtering; and
AC-4(32).(D) P3
Transfers the content to the destination filter pipeline.
AC-5A P3
Identify and document {{ insert: param, ac-05_odp }} ; and
Parameters
ac-05_odp duties of individuals duties of individuals
AC-5B P3
Define system access authorizations to support separation of duties.
AC-6(1).(A) P3
{{ insert: param, ac-6.1_prm_2 }} ; and
Parameters
ac-6.1_prm_2 organization-defined security functions (deployed in hardware, software, and firmware) organization-defined security functions (deployed in hardware, software, and firmware)
AC-6(1).(B) P3
{{ insert: param, ac-06.01_odp.05 }}.
Parameters
ac-06.01_odp.05 security-relevant information security-relevant information
AC-6(7).(A) P3
Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and
Parameters
ac-06.07_odp.01 frequency frequency
ac-06.07_odp.02 roles and classes roles and classes
AC-6(7).(B) P3
Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
AC-7(4).(A) P3
Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have bee...
Parameters
ac-07.04_odp.01 authentication factors authentication factors
AC-7(4).(B) P3
Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}.
Parameters
ac-07.04_odp.02 number number
ac-07.04_odp.03 time period time period
AC-7A P3
Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and
Parameters
ac-07_odp.01 number number
ac-07_odp.02 time period time period
AC-7B P3
Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.
Parameters
ac-07_odp.03
Catalog options (one or more): lock the account or node for {{ insert: param, ac-07_odp.04 }} , lock the account or node until released by an administrator, delay next logon prompt per {{ insert: param, ac-07_odp.05 }} , notify system administrator, take other {{ insert: param, ac-07_odp.06 }}
AC-8A P3
Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, reg...
Parameters
ac-08_odp.01 system use notification system use notification
AC-8A(1) P3
Users are accessing a U.S. Government system;
AC-8A(2) P3
System usage may be monitored, recorded, and subject to audit;
AC-8A(3) P3
Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
AC-8A(4) P3
Use of the system indicates consent to monitoring and recording;
AC-8B P3
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
AC-8C P3
For publicly accessible systems:
AC-8C(1) P3
Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;
Parameters
ac-08_odp.02 conditions conditions
AC-8C(2) P3
Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
AC-8C(3) P3
Include a description of the authorized uses of the system.
AC-1 P3
Policy and Procedures
Parameters
ac-1_prm_1 organization-defined personnel or roles organization-defined personnel or roles
ac-01_odp.01 personnel or roles personnel or roles
ac-01_odp.02 personnel or roles personnel or roles
ac-01_odp.03
Catalog options (one or more): organization-level, mission/business process-level, system-level
ac-01_odp.04 official official
ac-01_odp.05 frequency frequency
ac-01_odp.06 events events
ac-01_odp.07 frequency frequency
ac-01_odp.08 events events
AC-11A P3
Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and
Parameters
ac-11_odp.01
Catalog options (one or more): initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity, requiring the user to initiate a device lock before leaving the system unattended
AC-11B P3
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
AC-14A P3
Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
Parameters
ac-14_odp user actions user actions
AC-14B P3
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-16A P3
Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission;
Parameters
ac-16_prm_1 organization-defined types of security and privacy attributes organization-defined types of security and privacy attributes
ac-16_prm_2 organization-defined security and privacy attribute values organization-defined security and privacy attribute values
AC-16B P3
Ensure that the attribute associations are made and retained with the information;
AC-16C P3
Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }};
Parameters
ac-16_prm_3 organization-defined systems organization-defined systems
ac-16_prm_4 organization-defined security and privacy attributes organization-defined security and privacy attributes
AC-16D P3
Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }};
Parameters
ac-16_odp.09 attribute values or ranges attribute values or ranges
AC-16E P3
Audit changes to attributes; and
AC-16F P3
Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}.
Parameters
ac-16_prm_6 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16_prm_7 organization-defined frequency organization-defined frequency
AC-17(4).(A) P3
Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ inser...
AC-17(4).(B) P3
Document the rationale for remote access in the security plan for the system.
AC-17A P3
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
AC-17B P3
Authorize each type of remote access to the system prior to allowing such connections.
AC-18A P3
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
AC-18B P3
Authorize each type of wireless access to the system prior to allowing such connections.
AC-19(4).(A) P3
Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing officia...
AC-19(4).(B) P3
Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting clas...
AC-19(4).(B).(1) P3
Connection of unclassified mobile devices to classified systems is prohibited;
AC-19(4).(B).(2) P3
Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
AC-19(4).(B).(3) P3
Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
AC-19(4).(B).(4) P3
Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is foun...
Parameters
ac-19.04_odp.01 security officials security officials
AC-19(4).(C) P3
Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}.
Parameters
ac-19.04_odp.02 security policies security policies
AC-19A P3
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
AC-19B P3
Authorize the connection of mobile devices to organizational systems.
AC-2 P3
Account Management
Parameters
ac-02_odp.01 prerequisites and criteria prerequisites and criteria
ac-02_odp.02 attributes (as required) attributes (as required)
ac-02_odp.03 personnel or roles personnel or roles
ac-02_odp.04 policy, procedures, prerequisites, and criteria policy, procedures, prerequisites, and criteria
ac-02_odp.05 personnel or roles personnel or roles
ac-02_odp.06 time period time period
ac-02_odp.07 time period time period
ac-02_odp.08 time period time period
ac-02_odp.09 attributes (as required) attributes (as required)
ac-02_odp.10 frequency frequency
AC-2(1) P3
Automated System Account Management
Parameters
ac-02.01_odp automated mechanisms automated mechanisms
AC-2(2) P3
Automated Temporary and Emergency Account Management
Parameters
ac-02.02_odp.01
Catalog options: remove, disable
ac-02.02_odp.02 time period time period
AC-2(3) P3
Disable Accounts
Parameters
ac-02.03_odp.01 time period time period
ac-02.03_odp.02 time period time period
AC-2(4) P3
Automated Audit Actions
AC-2(5) P3
Inactivity Logout
Parameters
ac-02.05_odp time period of expected inactivity or description of when to log out time period of expected inactivity or description of when to log out
AC-2(6) P3
Dynamic Privilege Management
Parameters
ac-02.06_odp dynamic privilege management capabilities dynamic privilege management capabilities
AC-2(7) P3
Privileged User Accounts
Parameters
ac-02.07_odp
Catalog options: a role-based access scheme, an attribute-based access scheme
AC-2(8) P3
Dynamic Account Management
Parameters
ac-02.08_odp system accounts system accounts
AC-2(9) P3
Restrictions on Use of Shared and Group Accounts
Parameters
ac-02.09_odp conditions conditions
AC-2(10) P3
Shared and Group Account Credential Change
AC-2(11) P3
Usage Conditions
Parameters
ac-02.11_odp.01 circumstances and/or usage conditions circumstances and/or usage conditions
ac-02.11_odp.02 system accounts system accounts
AC-2(12) P3
Account Monitoring for Atypical Usage
Parameters
ac-02.12_odp.01 atypical usage atypical usage
ac-02.12_odp.02 personnel or roles personnel or roles
AC-2(13) P3
Disable Accounts for High-risk Individuals
Parameters
ac-02.13_odp.01 time period time period
ac-02.13_odp.02 significant risks significant risks
AC-20(1).(A) P3
Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
AC-20(1).(B) P3
Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
AC-20A P3
{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individu...
Parameters
ac-20_odp.01
Catalog options (one or more): establish {{ insert: param, ac-20_odp.02 }} , identify {{ insert: param, ac-20_odp.03 }}
AC-20A(1) P3
Access the system from external systems; and
AC-20A(2) P3
Process, store, or transmit organization-controlled information using external systems; or
AC-20B P3
Prohibit the use of {{ insert: param, ac-20_odp.04 }}.
Parameters
ac-20_odp.04 prohibited types of external systems prohibited types of external systems
AC-21A P3
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and
Parameters
ac-21_odp.01 information-sharing circumstances information-sharing circumstances
AC-21B P3
Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions.
Parameters
ac-21_odp.02 automated mechanisms automated mechanisms
AC-22A P3
Designate individuals authorized to make information publicly accessible;
AC-22B P3
Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
AC-22C P3
Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
AC-22D P3
Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered.
Parameters
ac-22_odp frequency frequency
AC-3 P3
Access Enforcement
AC-3(1) P3
Restricted Access to Privileged Functions
AC-3(2) P3
Dual Authorization
Parameters
ac-03.02_odp privileged commands and/or other actions privileged commands and/or other actions
AC-3(3) P3
Mandatory Access Control
Parameters
ac-3.3_prm_1 organization-defined mandatory access control policy organization-defined mandatory access control policy
ac-03.03_odp.01 mandatory access control policy mandatory access control policy
ac-03.03_odp.02 mandatory access control policy mandatory access control policy
ac-03.03_odp.03 subjects subjects
ac-03.03_odp.04 privileges privileges
AC-3(4) P3
Discretionary Access Control
Parameters
ac-3.4_prm_1 organization-defined discretionary access control policy organization-defined discretionary access control policy
ac-03.04_odp.01 discretionary access control policy discretionary access control policy
ac-03.04_odp.02 discretionary access control policy discretionary access control policy
AC-3(5) P3
Security-relevant Information
Parameters
ac-03.05_odp security-relevant information security-relevant information
AC-3(6) P3
Protection of User and System Information
AC-3(7) P3
Role-based Access Control
Parameters
ac-3.7_prm_1 organization-defined roles and users authorized to assume such roles organization-defined roles and users authorized to assume such roles
ac-03.07_odp.01 roles roles
ac-03.07_odp.02 users authorized to assume such roles users authorized to assume such roles
AC-3(8) P3
Revocation of Access Authorizations
Parameters
ac-03.08_odp rules rules
AC-3(9) P3
Controlled Release
Parameters
ac-03.09_odp.01 system or system component system or system component
ac-03.09_odp.02 controls controls
ac-03.09_odp.03 controls controls
AC-3(10) P3
Audited Override of Access Control Mechanisms
Parameters
ac-03.10_odp.01 conditions conditions
ac-03.10_odp.02 roles roles
AC-3(11) P3
Restrict Access to Specific Information Types
Parameters
ac-03.11_odp information types information types
AC-3(12) P3
Assert and Enforce Application Access
Parameters
ac-03.12_odp system applications and functions system applications and functions
AC-3(13) P3
Attribute-based Access Control
Parameters
ac-03.13_odp attributes attributes
AC-3(14) P3
Individual Access
Parameters
ac-03.14_odp.01 mechanisms mechanisms
ac-03.14_odp.02 elements elements
AC-3(15) P3
Discretionary and Mandatory Access Control
Parameters
ac-3.15_prm_1 organization-defined mandatory access control policy organization-defined mandatory access control policy
ac-3.15_prm_2 organization-defined discretionary access control policy organization-defined discretionary access control policy
ac-03.15_odp.01 mandatory access control policy mandatory access control policy
ac-03.15_odp.02 mandatory access control policy mandatory access control policy
ac-03.15_odp.03 discretionary access control policy discretionary access control policy
ac-03.15_odp.04 discretionary access control policy discretionary access control policy
AC-4 P3
Information Flow Enforcement
Parameters
ac-04_odp information flow control policies information flow control policies
AC-4(1) P3
Object Security and Privacy Attributes
Parameters
ac-4.1_prm_1 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-4.1_prm_2 organization-defined information, source, and destination objects organization-defined information, source, and destination objects
ac-04.01_odp.01 security attributes security attributes
ac-04.01_odp.02 privacy attributes privacy attributes
ac-04.01_odp.03 information objects information objects
ac-04.01_odp.04 information objects information objects
ac-04.01_odp.05 source objects source objects
ac-04.01_odp.06 source objects source objects
ac-04.01_odp.07 destination objects destination objects
ac-04.01_odp.08 destination objects destination objects
ac-04.01_odp.09 information flow control policies information flow control policies
AC-4(2) P3
Processing Domains
Parameters
ac-04.02_odp information flow control policies information flow control policies
AC-4(3) P3
Dynamic Information Flow Control
Parameters
ac-04.03_odp information flow control policies information flow control policies
AC-4(4) P3
Flow Control of Encrypted Information
Parameters
ac-04.04_odp.01 information flow control mechanisms information flow control mechanisms
ac-04.04_odp.02
Catalog options (one or more): decrypting the information, blocking the flow of the encrypted information, terminating communications sessions attempting to pass encrypted information, {{ insert: param, ac-04.04_odp.03 }}
ac-04.04_odp.03 organization-defined procedure or method organization-defined procedure or method
AC-4(5) P3
Embedded Data Types
Parameters
ac-04.05_odp limitations limitations
AC-4(6) P3
Metadata
Parameters
ac-04.06_odp metadata metadata
AC-4(7) P3
One-way Flow Mechanisms
AC-4(8) P3
Security and Privacy Policy Filters
Parameters
ac-4.8_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-4.8_prm_2 organization-defined information flows organization-defined information flows
ac-4.8_prm_4 organization-defined security or privacy policy organization-defined security or privacy policy
ac-04.08_odp.01 security policy filter security policy filter
ac-04.08_odp.02 privacy policy filter privacy policy filter
ac-04.08_odp.03 information flows information flows
ac-04.08_odp.04 information flows information flows
ac-04.08_odp.05
Catalog options (one or more): block, strip, modify, quarantine
ac-04.08_odp.06 security policy security policy
ac-04.08_odp.07 privacy policy privacy policy
AC-4(9) P3
Human Reviews
Parameters
ac-04.09_odp.01 information flows information flows
ac-04.09_odp.02 conditions conditions
AC-4(10) P3
Enable and Disable Security or Privacy Policy Filters
Parameters
ac-4.10_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-4.10_prm_2 organization-defined conditions organization-defined conditions
ac-04.10_odp.01 security filters security filters
ac-04.10_odp.02 privacy filters privacy filters
ac-04.10_odp.03 conditions conditions
ac-04.10_odp.04 conditions conditions
AC-4(11) P3
Configuration of Security or Privacy Policy Filters
Parameters
ac-4.11_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-04.11_odp.01 security policy filters security policy filters
ac-04.11_odp.02 privacy policy filters privacy policy filters
AC-4(12) P3
Data Type Identifiers
Parameters
ac-04.12_odp data type identifiers data type identifiers
AC-4(13) P3
Decomposition into Policy-relevant Subcomponents
Parameters
ac-04.13_odp policy-relevant subcomponents policy-relevant subcomponents
AC-4(14) P3
Security or Privacy Policy Filter Constraints
Parameters
ac-4.14_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-04.14_odp.01 security policy filters security policy filters
ac-04.14_odp.02 privacy policy filters privacy policy filters
AC-4(15) P3
Detection of Unsanctioned Information
Parameters
ac-4.15_prm_2 organization-defined security or privacy policy organization-defined security or privacy policy
ac-04.15_odp.01 unsanctioned information unsanctioned information
ac-04.15_odp.02 security policy security policy
ac-04.15_odp.03 privacy policy privacy policy
AC-4(16) P3
Information Transfers on Interconnected Systems
AC-4(17) P3
Domain Authentication
Parameters
ac-04.17_odp
Catalog options (one or more): organization, system, application, service, individual
AC-4(18) P3
Security Attribute Binding
AC-4(19) P3
Validation of Metadata
Parameters
ac-4.19_prm_1 organization-defined security or privacy policy filters organization-defined security or privacy policy filters
ac-04.19_odp.01 security policy filters security policy filters
ac-04.19_odp.02 privacy policy filters privacy policy filters
AC-4(20) P3
Approved Solutions
Parameters
ac-04.20_odp.01 solutions in approved configurations solutions in approved configurations
ac-04.20_odp.02 information information
AC-4(21) P3
Physical or Logical Separation of Information Flows
Parameters
ac-4.21_prm_1 organization-defined mechanisms and/or techniques organization-defined mechanisms and/or techniques
ac-04.21_odp.01 mechanisms and/or techniques mechanisms and/or techniques
ac-04.21_odp.02 mechanisms and/or techniques mechanisms and/or techniques
ac-04.21_odp.03 required separations required separations
AC-4(22) P3
Access Only
AC-4(23) P3
Modify Non-releasable Information
Parameters
ac-04.23_odp modification action modification action
AC-4(24) P3
Internal Normalized Format
AC-4(25) P3
Data Sanitization
Parameters
ac-04.25_odp.01
Catalog options (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data, spillage of sensitive information
ac-04.25_odp.02 policy policy
AC-4(26) P3
Audit Filtering Actions
AC-4(27) P3
Redundant/Independent Filtering Mechanisms
AC-4(28) P3
Linear Filter Pipelines
AC-4(29) P3
Filter Orchestration Engines
Parameters
ac-04.29_odp policy policy
AC-4(30) P3
Filter Mechanisms Using Multiple Processes
AC-4(31) P3
Failed Content Transfer Prevention
AC-4(32) P3
Process Requirements for Information Transfer
AC-5 P3
Separation of Duties
Parameters
ac-05_odp duties of individuals duties of individuals
AC-6 P3
Least Privilege
AC-6(1) P3
Authorize Access to Security Functions
Parameters
ac-6.1_prm_2 organization-defined security functions (deployed in hardware, software, and firmware) organization-defined security functions (deployed in hardware, software, and firmware)
ac-06.01_odp.01 individuals and roles individuals and roles
ac-06.01_odp.02 security functions (deployed in hardware) security functions (deployed in hardware)
ac-06.01_odp.03 security functions (deployed in software) security functions (deployed in software)
ac-06.01_odp.04 security functions (deployed in firmware) security functions (deployed in firmware)
ac-06.01_odp.05 security-relevant information security-relevant information
AC-6(2) P3
Non-privileged Access for Nonsecurity Functions
Parameters
ac-06.02_odp security functions or security-relevant information security functions or security-relevant information
AC-6(3) P3
Network Access to Privileged Commands
Parameters
ac-06.03_odp.01 privileged commands privileged commands
ac-06.03_odp.02 compelling operational needs compelling operational needs
AC-6(4) P3
Separate Processing Domains
AC-6(5) P3
Privileged Accounts
Parameters
ac-06.05_odp personnel or roles personnel or roles
AC-6(6) P3
Privileged Access by Non-organizational Users
AC-6(7) P3
Review of User Privileges
Parameters
ac-06.07_odp.01 frequency frequency
ac-06.07_odp.02 roles and classes roles and classes
AC-6(8) P3
Privilege Levels for Code Execution
Parameters
ac-06.08_odp software software
AC-6(9) P3
Log Use of Privileged Functions
AC-6(10) P3
Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 P3
Unsuccessful Logon Attempts
Parameters
ac-07_odp.01 number number
ac-07_odp.02 time period time period
ac-07_odp.03
Catalog options (one or more): lock the account or node for {{ insert: param, ac-07_odp.04 }} , lock the account or node until released by an administrator, delay next logon prompt per {{ insert: param, ac-07_odp.05 }} , notify system administrator, take other {{ insert: param, ac-07_odp.06 }}
ac-07_odp.04 time period time period
ac-07_odp.05 delay algorithm delay algorithm
ac-07_odp.06 action action
AC-7(1) P3
Automatic Account Lock
AC-7(2) P3
Purge or Wipe Mobile Device
Parameters
ac-07.02_odp.01 mobile devices mobile devices
ac-07.02_odp.02 purging or wiping requirements and techniques purging or wiping requirements and techniques
ac-07.02_odp.03 number number
AC-7(3) P3
Biometric Attempt Limiting
Parameters
ac-07.03_odp number number
AC-7(4) P3
Use of Alternate Authentication Factor
Parameters
ac-07.04_odp.01 authentication factors authentication factors
ac-07.04_odp.02 number number
ac-07.04_odp.03 time period time period
AC-8 P3
System Use Notification
Parameters
ac-08_odp.01 system use notification system use notification
ac-08_odp.02 conditions conditions
AC-9 P3
Previous Logon Notification
AC-9(1) P3
Unsuccessful Logons
AC-9(2) P3
Successful and Unsuccessful Logons
Parameters
ac-09.02_odp.01
Catalog options: successful logons, unsuccessful logon attempts, both
ac-09.02_odp.02 time period time period
AC-9(3) P3
Notification of Account Changes
Parameters
ac-09.03_odp.01 security-related characteristics or parameters security-related characteristics or parameters
ac-09.03_odp.02 time period time period
AC-9(4) P3
Additional Logon Information
Parameters
ac-09.04_odp additional information additional information
AC-10 P3
Concurrent Session Control
Parameters
ac-10_odp.01 account and/or account types account and/or account types
ac-10_odp.02 number number
AC-11 P3
Device Lock
Parameters
ac-11_odp.01
Catalog options (one or more): initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity, requiring the user to initiate a device lock before leaving the system unattended
ac-11_odp.02 time period time period
AC-11(1) P3
Pattern-hiding Displays
AC-12 P3
Session Termination
Parameters
ac-12_odp conditions or trigger events conditions or trigger events
AC-12(1) P3
User-initiated Logouts
Parameters
ac-12.01_odp information resources information resources
AC-12(2) P3
Termination Message
AC-12(3) P3
Timeout Warning Message
Parameters
ac-12.03_odp time time
AC-13 P3
Supervision and Review — Access Control
AC-14 P3
Permitted Actions Without Identification or Authentication
Parameters
ac-14_odp user actions user actions
AC-14(1) P3
Necessary Uses
AC-15 P3
Automated Marking
AC-16 P3
Security and Privacy Attributes
Parameters
ac-16_prm_1 organization-defined types of security and privacy attributes organization-defined types of security and privacy attributes
ac-16_prm_2 organization-defined security and privacy attribute values organization-defined security and privacy attribute values
ac-16_prm_3 organization-defined systems organization-defined systems
ac-16_prm_4 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16_prm_6 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16_prm_7 organization-defined frequency organization-defined frequency
ac-16_odp.01 types of security attributes types of security attributes
ac-16_odp.02 types of privacy attributes types of privacy attributes
ac-16_odp.03 security attribute values security attribute values
ac-16_odp.04 privacy attribute values privacy attribute values
ac-16_odp.05 systems systems
ac-16_odp.06 systems systems
ac-16_odp.07 security attributes security attributes
ac-16_odp.08 privacy attributes privacy attributes
ac-16_odp.09 attribute values or ranges attribute values or ranges
ac-16_odp.10 frequency frequency
ac-16_odp.11 frequency frequency
AC-16(1) P3
Dynamic Attribute Association
Parameters
ac-16.1_prm_1 organization-defined subjects and objects organization-defined subjects and objects
ac-16.1_prm_2 organization-defined security and privacy policies organization-defined security and privacy policies
ac-16.01_odp.01 subjects subjects
ac-16.01_odp.02 objects objects
ac-16.01_odp.03 subjects subjects
ac-16.01_odp.04 objects objects
ac-16.01_odp.05 security policies security policies
ac-16.01_odp.06 privacy policies privacy policies
AC-16(2) P3
Attribute Value Changes by Authorized Individuals
AC-16(3) P3
Maintenance of Attribute Associations by System
Parameters
ac-16.3_prm_1 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16.3_prm_2 organization-defined subjects and objects organization-defined subjects and objects
ac-16.03_odp.01 security attributes security attributes
ac-16.03_odp.02 privacy attributes privacy attributes
ac-16.03_odp.03 subjects subjects
ac-16.03_odp.04 objects objects
ac-16.03_odp.05 subjects subjects
ac-16.03_odp.06 objects objects
AC-16(4) P3
Association of Attributes by Authorized Individuals
Parameters
ac-16.4_prm_1 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16.4_prm_2 organization-defined subjects and objects organization-defined subjects and objects
ac-16.04_odp.01 security attributes security attributes
ac-16.04_odp.02 security attributes security attributes
ac-16.04_odp.03 privacy attributes privacy attributes
ac-16.04_odp.04 privacy attributes privacy attributes
ac-16.04_odp.05 subjects subjects
ac-16.04_odp.06 objects objects
ac-16.04_odp.07 subjects subjects
ac-16.04_odp.08 objects objects
AC-16(5) P3
Attribute Displays on Objects to Be Output
Parameters
ac-16.05_odp.01 instructions instructions
ac-16.05_odp.02 naming conventions naming conventions
AC-16(6) P3
Maintenance of Attribute Association
Parameters
ac-16.6_prm_1 organization-defined security and privacy attributes organization-defined security and privacy attributes
ac-16.6_prm_2 organization-defined subjects and objects organization-defined subjects and objects
ac-16.6_prm_3 organization-defined security and privacy policies organization-defined security and privacy policies
ac-16.06_odp.01 security attributes security attributes
ac-16.06_odp.02 security attributes security attributes
ac-16.06_odp.03 privacy attributes privacy attributes
ac-16.06_odp.04 privacy attributes privacy attributes
ac-16.06_odp.05 subjects subjects
ac-16.06_odp.06 objects objects
ac-16.06_odp.07 subjects subjects
ac-16.06_odp.08 objects objects
ac-16.06_odp.09 security policies security policies
ac-16.06_odp.10 privacy policies privacy policies
AC-16(7) P3
Consistent Attribute Interpretation
AC-16(8) P3
Association Techniques and Technologies
Parameters
ac-16.8_prm_1 organization-defined techniques and technologies organization-defined techniques and technologies
ac-16.08_odp.01 techniques and technologies techniques and technologies
ac-16.08_odp.02 techniques and technologies techniques and technologies
AC-16(9) P3
Attribute Reassignment — Regrading Mechanisms
Parameters
ac-16.9_prm_1 organization-defined techniques or procedures organization-defined techniques or procedures
ac-16.09_odp.01 techniques or procedures techniques or procedures
ac-16.09_odp.02 techniques or procedures techniques or procedures
AC-16(10) P3
Attribute Configuration by Authorized Individuals
AC-17 P3
Remote Access
AC-17(1) P3
Monitoring and Control
AC-17(2) P3
Protection of Confidentiality and Integrity Using Encryption
AC-17(3) P3
Managed Access Control Points
AC-17(4) P3
Privileged Commands and Access
Parameters
ac-17.4_prm_1 organization-defined needs organization-defined needs
ac-17.04_odp.01 needs requiring remote access needs requiring remote access
ac-17.04_odp.02 needs requiring remote access needs requiring remote access
AC-17(5) P3
Monitoring for Unauthorized Connections
AC-17(6) P3
Protection of Mechanism Information
AC-17(7) P3
Additional Protection for Security Function Access
AC-17(8) P3
Disable Nonsecure Network Protocols
AC-17(9) P3
Disconnect or Disable Access
Parameters
ac-17.09_odp time period time period
AC-17(10) P3
Authenticate Remote Commands
Parameters
ac-17.10_odp.01 mechanisms mechanisms
ac-17.10_odp.02 remote commands remote commands
AC-18 P3
Wireless Access
AC-18(1) P3
Authentication and Encryption
Parameters
ac-18.01_odp
Catalog options (one or more): users, devices
AC-18(2) P3
Monitoring Unauthorized Connections
AC-18(3) P3
Disable Wireless Networking
AC-18(4) P3
Restrict Configurations by Users
AC-18(5) P3
Antennas and Transmission Power Levels
AC-19 P3
Access Control for Mobile Devices
AC-19(1) P3
Use of Writable and Portable Storage Devices
AC-19(2) P3
Use of Personally Owned Portable Storage Devices
AC-19(3) P3
Use of Portable Storage Devices with No Identifiable Owner
AC-19(4) P3
Restrictions for Classified Information
Parameters
ac-19.04_odp.01 security officials security officials
ac-19.04_odp.02 security policies security policies
AC-19(5) P3
Full Device or Container-based Encryption
Parameters
ac-19.05_odp.01
Catalog options: full-device encryption, container-based encryption
ac-19.05_odp.02 mobile devices mobile devices
AC-20 P3
Use of External Systems
Parameters
ac-20_odp.01
Catalog options (one or more): establish {{ insert: param, ac-20_odp.02 }} , identify {{ insert: param, ac-20_odp.03 }}
ac-20_odp.02 terms and conditions terms and conditions
ac-20_odp.03 controls asserted controls asserted
ac-20_odp.04 prohibited types of external systems prohibited types of external systems
AC-20(1) P3
Limits on Authorized Use
AC-20(2) P3
Portable Storage Devices — Restricted Use
Parameters
ac-20.02_odp restrictions restrictions
AC-20(3) P3
Non-organizationally Owned Systems — Restricted Use
Parameters
ac-20.03_odp restrictions restrictions
AC-20(4) P3
Network Accessible Storage Devices — Prohibited Use
Parameters
ac-20.04_odp network-accessible storage devices network-accessible storage devices
AC-20(5) P3
Portable Storage Devices — Prohibited Use
AC-21 P3
Information Sharing
Parameters
ac-21_odp.01 information-sharing circumstances information-sharing circumstances
ac-21_odp.02 automated mechanisms automated mechanisms
AC-21(1) P3
Automated Decision Support
Parameters
ac-21.01_odp automated mechanisms automated mechanisms
AC-21(2) P3
Information Search and Retrieval
Parameters
ac-21.02_odp information-sharing restrictions information-sharing restrictions
AC-22 P3
Publicly Accessible Content
Parameters
ac-22_odp frequency frequency
AC-23 P3
Data Mining Protection
Parameters
ac-23_odp.01 techniques techniques
ac-23_odp.02 data storage objects data storage objects
AC-24 P3
Access Control Decisions
Parameters
ac-24_odp.01
Catalog options (one or more): establish procedures, implement mechanisms
ac-24_odp.02 access control decisions access control decisions
AC-24(1) P3
Transmit Access Authorization Information
Parameters
ac-24.01_odp.01 access authorization information access authorization information
ac-24.01_odp.02 controls controls
ac-24.01_odp.03 systems systems
AC-24(2) P3
No User or Process Identity
Parameters
ac-24.2_prm_1 organization-defined security or privacy attributes organization-defined security or privacy attributes
ac-24.02_odp.01 security attributes security attributes
ac-24.02_odp.02 privacy attributes privacy attributes
AC-25 P3
Reference Monitor
Parameters
ac-25_odp access control policies access control policies
OSCAL Metadata
+

Not set

Not set

Not set

2026-03-27T20:41:44Z

Roles 0

No roles defined

Parties 0

No parties defined