Search
Family
Control Baseline
ID | Family | Title | Requirement |
---|---|---|---|
AC-1 | Access Control | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: |
AC-2 | Access Control | Account Management | a. Define and document the types of accounts allowed and specifically prohibited for use within the system; |
AC-2(1) | Access Control | Account Management | Automated System Account Management | Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. |
AC-2(2) | Access Control | Account Management | Automated Temporary and Emergency Account Management | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
AC-2(3) | Access Control | Account Management | Disable Accounts | Disable accounts within [Assignment: organization-defined time period] when the accounts: |
AC-2(4) | Access Control | Account Management | Automated Audit Actions | Automatically audit account creation, modification, enabling, disabling, and removal actions. |
AC-2(5) | Access Control | Account Management | Inactivity Logout | Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. |
AC-2(6) | Access Control | Account Management | Dynamic Privilege Management | Implement [Assignment: organization-defined dynamic privilege management capabilities]. |
AC-2(7) | Access Control | Account Management | Privileged User Accounts | (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; |
AC-2(8) | Access Control | Account Management | Dynamic Account Management | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. |
AC-2(9) | Access Control | Account Management | Restrictions on Use of Shared and Group Accounts | Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. |
AC-13 | Access Control | Supervision and Review ā Access Control | [Withdrawn: Incorporated into AC-2 and AU-6.] |
AC-2(11) | Access Control | Account Management | Usage Conditions | Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. |
AC-2(12) | Access Control | Account Management | Account Monitoring for Atypical Usage | (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and |
AC-2(13) | Access Control | Account Management | Disable Accounts for High-risk Individuals | Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. |
AC-3 | Access Control | Access Enforcement | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
AC-14(1) | Access Control | Permitted Actions Without Identification or Authentication | Necessary Uses | [Withdrawn: Incorporated into AC-14.] |
AC-3(2) | Access Control | Access Enforcement | Dual Authorization | Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
AC-3(3) | Access Control | Access Enforcement | Mandatory Access Control | Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: |
AC-3(4) | Access Control | Access Enforcement | Discretionary Access Control | Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: |
AC-3(5) | Access Control | Access Enforcement | Security-relevant Information | Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
AC-15 | Access Control | Automated Marking | [Withdrawn: Incorporated into MP-3.] |
AC-3(7) | Access Control | Access Enforcement | Role-based Access Control | Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
AC-3(8) | Access Control | Access Enforcement | Revocation of Access Authorizations | Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
AC-3(9) | Access Control | Access Enforcement | Controlled Release | Release information outside of the system only if: |
AC-3(10) | Access Control | Access Enforcement | Audited Override of Access Control Mechanisms | Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. |
AC-3(11) | Access Control | Access Enforcement | Restrict Access to Specific Information Types | Restrict access to data repositories containing [Assignment: organization-defined information types]. |
AC-3(12) | Access Control | Access Enforcement | Assert and Enforce Application Access | (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; |
AC-3(13) | Access Control | Access Enforcement | Attribute-based Access Control | Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. |
AC-3(14) | Access Control | Access Enforcement | Individual Access | Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. |
AC-3(15) | Access Control | Access Enforcement | Discretionary and Mandatory Access Control | (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and |
AC-4 | Access Control | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
AC-4(1) | Access Control | Information Flow Enforcement | Object Security and Privacy Attributes | Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
AC-4(2) | Access Control | Information Flow Enforcement | Processing Domains | Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
AC-4(3) | Access Control | Information Flow Enforcement | Dynamic Information Flow Control | Enforce [Assignment: organization-defined information flow control policies]. |
AC-4(4) | Access Control | Information Flow Enforcement | Flow Control of Encrypted Information | Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
AC-4(5) | Access Control | Information Flow Enforcement | Embedded Data Types | Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. |
AC-4(6) | Access Control | Information Flow Enforcement | Metadata | Enforce information flow control based on [Assignment: organization-defined metadata]. |
AC-4(7) | Access Control | Information Flow Enforcement | One-way Flow Mechanisms | Enforce one-way information flows through hardware-based flow control mechanisms. |
AC-4(8) | Access Control | Information Flow Enforcement | Security and Privacy Policy Filters | (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and |
AC-4(9) | Access Control | Information Flow Enforcement | Human Reviews | Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
AC-4(10) | Access Control | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters | Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
AC-4(11) | Access Control | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters | Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. |
AC-4(12) | Access Control | Information Flow Enforcement | Data Type Identifiers | When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
AC-4(13) | Access Control | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents | When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
AC-4(14) | Access Control | Information Flow Enforcement | Security or Privacy Policy Filter Constraints | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. |
AC-4(15) | Access Control | Information Flow Enforcement | Detection of Unsanctioned Information | When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. |
AC-17(5) | Access Control | Remote Access | Monitoring for Unauthorized Connections | [Withdrawn: Incorporated into SI-4.] |
AC-4(17) | Access Control | Information Flow Enforcement | Domain Authentication | Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. |
AC-17(7) | Access Control | Remote Access | Additional Protection for Security Function Access | [Withdrawn: Incorporated into AC-3(10).] |
AC-4(19) | Access Control | Information Flow Enforcement | Validation of Metadata | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. |
AC-4(20) | Access Control | Information Flow Enforcement | Approved Solutions | Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
AC-4(21) | Access Control | Information Flow Enforcement | Physical or Logical Separation of Information Flows | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
AC-4(22) | Access Control | Information Flow Enforcement | Access Only | Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. |
AC-4(23) | Access Control | Information Flow Enforcement | Modify Non-releasable Information | When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. |
AC-4(24) | Access Control | Information Flow Enforcement | Internal Normalized Format | When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. |
AC-4(25) | Access Control | Information Flow Enforcement | Data Sanitization | When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. |
AC-4(26) | Access Control | Information Flow Enforcement | Audit Filtering Actions | When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. |
AC-4(27) | Access Control | Information Flow Enforcement | Redundant/independent Filtering Mechanisms | When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. |
AC-4(28) | Access Control | Information Flow Enforcement | Linear Filter Pipelines | When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. |
AC-4(29) | Access Control | Information Flow Enforcement | Filter Orchestration Engines | When transferring information between different security domains, employ content filter orchestration engines to ensure that: |
AC-4(30) | Access Control | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes | When transferring information between different security domains, implement content filtering mechanisms using multiple processes. |
AC-4(31) | Access Control | Information Flow Enforcement | Failed Content Transfer Prevention | When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. |
AC-4(32) | Access Control | Information Flow Enforcement | Process Requirements for Information Transfer | When transferring information between different security domains, the process that transfers information between filter pipelines: |
AC-5 | Access Control | Separation of Duties | a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and |
AC-6 | Access Control | Least Privilege | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
AC-6(1) | Access Control | Least Privilege | Authorize Access to Security Functions | Authorize access for [Assignment: organization-defined individuals or roles] to: |
AC-6(2) | Access Control | Least Privilege | Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. |
AC-6(3) | Access Control | Least Privilege | Network Access to Privileged Commands | Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. |
AC-6(4) | Access Control | Least Privilege | Separate Processing Domains | Provide separate processing domains to enable finer-grained allocation of user privileges. |
AC-6(5) | Access Control | Least Privilege | Privileged Accounts | Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. |
AC-6(6) | Access Control | Least Privilege | Privileged Access by Non-organizational Users | Prohibit privileged access to the system by non-organizational users. |
AC-6(7) | Access Control | Least Privilege | Review of User Privileges | (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and |
AC-6(8) | Access Control | Least Privilege | Privilege Levels for Code Execution | Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. |
AC-6(9) | Access Control | Least Privilege | Log Use of Privileged Functions | Log the execution of privileged functions. |
AC-6(10) | Access Control | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. |
AC-7 | Access Control | Unsuccessful Logon Attempts | a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and |
AC-17(8) | Access Control | Remote Access | Disable Nonsecure Network Protocols | [Withdrawn: Incorporated into CM-7.] |
AC-7(2) | Access Control | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device | Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
AC-7(3) | Access Control | Unsuccessful Logon Attempts | Biometric Attempt Limiting | Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. |
AC-7(4) | Access Control | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor | (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and |
AC-8 | Access Control | System Use Notification | a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: |
AC-9 | Access Control | Previous Logon Notification | Notify the user, upon successful logon to the system, of the date and time of the last logon. |
AC-9(1) | Access Control | Previous Logon Notification | Unsuccessful Logons | Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. |
AC-9(2) | Access Control | Previous Logon Notification | Successful and Unsuccessful Logons | Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. |
AC-9(3) | Access Control | Previous Logon Notification | Notification of Account Changes | Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the userĆ¢ā¬ā¢s account] during [Assignment: organization-defined time period]. |
AC-9(4) | Access Control | Previous Logon Notification | Additional Logon Information | Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. |
AC-10 | Access Control | Concurrent Session Control | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
AC-11 | Access Control | Device Lock | a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and |
AC-11(1) | Access Control | Device Lock | Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. |
AC-12 | Access Control | Session Termination | Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
AC-12(1) | Access Control | Session Termination | User-initiated Logouts | Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. |
AC-12(2) | Access Control | Session Termination | Termination Message | Display an explicit logout message to users indicating the termination of authenticated communications sessions. |
AC-12(3) | Access Control | Session Termination | Timeout Warning Message | Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. |
AC-18(2) | Access Control | Wireless Access | Monitoring Unauthorized Connections | [Withdrawn: Incorporated into SI-4.] |
AC-14 | Access Control | Permitted Actions Without Identification or Authentication | a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and |
AC-19(1) | Access Control | Access Control for Mobile Devices | Use of Writable and Portable Storage Devices | [Withdrawn: Incorporated into MP-7.] |
AC-19(2) | Access Control | Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices | [Withdrawn: Incorporated into MP-7.] |
AC-16 | Access Control | Security and Privacy Attributes | a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; |
AC-16(1) | Access Control | Security and Privacy Attributes | Dynamic Attribute Association | Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. |