NIST 800-53 r5 Control Explorer

Search

Family

Control Baseline

ID Family Title Requirement
AC-1Access ControlPolicy and Procedures

a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

AC-2Access ControlAccount Management

a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time period] when accounts are no longer required;
2. [Assignment: organization-defined time period] when users are terminated or transferred; and
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.

AC-2(1)Access ControlAccount Management | Automated System Account Management

Support the management of system accounts using [Assignment: organization-defined automated mechanisms].

AC-2(2)Access ControlAccount Management | Automated Temporary and Emergency Account Management

Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

AC-2(3)Access ControlAccount Management | Disable Accounts

Disable accounts within [Assignment: organization-defined time period] when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for [Assignment: organization-defined time period].

AC-2(4)Access ControlAccount Management | Automated Audit Actions

Automatically audit account creation, modification, enabling, disabling, and removal actions.

AC-2(5)Access ControlAccount Management | Inactivity Logout

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

AC-2(6)Access ControlAccount Management | Dynamic Privilege Management

Implement [Assignment: organization-defined dynamic privilege management capabilities].

AC-2(7)Access ControlAccount Management | Privileged User Accounts

(a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];
(b) Monitor privileged role or attribute assignments;
(c) Monitor changes to roles or attributes; and
(d) Revoke access when privileged role or attribute assignments are no longer appropriate.

AC-2(8)Access ControlAccount Management | Dynamic Account Management

Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.

AC-2(9)Access ControlAccount Management | Restrictions on Use of Shared and Group Accounts

Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts].

AC-13Access ControlSupervision and Review — Access Control

[Withdrawn: Incorporated into AC-2 and AU-6.]

AC-2(11)Access ControlAccount Management | Usage Conditions

Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].

AC-2(12)Access ControlAccount Management | Account Monitoring for Atypical Usage

(a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and
(b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].

AC-2(13)Access ControlAccount Management | Disable Accounts for High-risk Individuals

Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].

AC-3Access ControlAccess Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-14(1)Access ControlPermitted Actions Without Identification or Authentication | Necessary Uses

[Withdrawn: Incorporated into AC-14.]

AC-3(2)Access ControlAccess Enforcement | Dual Authorization

Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].

AC-3(3)Access ControlAccess Enforcement | Mandatory Access Control

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
(a) Is uniformly enforced across the covered subjects and objects within the system;
(b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
(4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
(5) Changing the rules governing access control; and
(c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.

AC-3(4)Access ControlAccess Enforcement | Discretionary Access Control

Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the system, or the system’s components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control.

AC-3(5)Access ControlAccess Enforcement | Security-relevant Information

Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

AC-15Access ControlAutomated Marking

[Withdrawn: Incorporated into MP-3.]

AC-3(7)Access ControlAccess Enforcement | Role-based Access Control

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

AC-3(8)Access ControlAccess Enforcement | Revocation of Access Authorizations

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

AC-3(9)Access ControlAccess Enforcement | Controlled Release

Release information outside of the system only if:
(a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
(b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.

AC-3(10)Access ControlAccess Enforcement | Audited Override of Access Control Mechanisms

Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].

AC-3(11)Access ControlAccess Enforcement | Restrict Access to Specific Information Types

Restrict access to data repositories containing [Assignment: organization-defined information types].

AC-3(12)Access ControlAccess Enforcement | Assert and Enforce Application Access

(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];
(b) Provide an enforcement mechanism to prevent unauthorized access; and
(c) Approve access changes after initial installation of the application.

AC-3(13)Access ControlAccess Enforcement | Attribute-based Access Control

Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].

AC-3(14)Access ControlAccess Enforcement | Individual Access

Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].

AC-3(15)Access ControlAccess Enforcement | Discretionary and Mandatory Access Control

(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.

AC-4Access ControlInformation Flow Enforcement

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

AC-4(1)Access ControlInformation Flow Enforcement | Object Security and Privacy Attributes

Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4(2)Access ControlInformation Flow Enforcement | Processing Domains

Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4(3)Access ControlInformation Flow Enforcement | Dynamic Information Flow Control

Enforce [Assignment: organization-defined information flow control policies].

AC-4(4)Access ControlInformation Flow Enforcement | Flow Control of Encrypted Information

Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].

AC-4(5)Access ControlInformation Flow Enforcement | Embedded Data Types

Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.

AC-4(6)Access ControlInformation Flow Enforcement | Metadata

Enforce information flow control based on [Assignment: organization-defined metadata].

AC-4(7)Access ControlInformation Flow Enforcement | One-way Flow Mechanisms

Enforce one-way information flows through hardware-based flow control mechanisms.

AC-4(8)Access ControlInformation Flow Enforcement | Security and Privacy Policy Filters

(a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
(b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].

AC-4(9)Access ControlInformation Flow Enforcement | Human Reviews

Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].

AC-4(10)Access ControlInformation Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].

AC-4(11)Access ControlInformation Flow Enforcement | Configuration of Security or Privacy Policy Filters

Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.

AC-4(12)Access ControlInformation Flow Enforcement | Data Type Identifiers

When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.

AC-4(13)Access ControlInformation Flow Enforcement | Decomposition into Policy-relevant Subcomponents

When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.

AC-4(14)Access ControlInformation Flow Enforcement | Security or Privacy Policy Filter Constraints

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.

AC-4(15)Access ControlInformation Flow Enforcement | Detection of Unsanctioned Information

When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].

AC-17(5)Access ControlRemote Access | Monitoring for Unauthorized Connections

[Withdrawn: Incorporated into SI-4.]

AC-4(17)Access ControlInformation Flow Enforcement | Domain Authentication

Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer.

AC-17(7)Access ControlRemote Access | Additional Protection for Security Function Access

[Withdrawn: Incorporated into AC-3(10).]

AC-4(19)Access ControlInformation Flow Enforcement | Validation of Metadata

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.

AC-4(20)Access ControlInformation Flow Enforcement | Approved Solutions

Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.

AC-4(21)Access ControlInformation Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

AC-4(22)Access ControlInformation Flow Enforcement | Access Only

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

AC-4(23)Access ControlInformation Flow Enforcement | Modify Non-releasable Information

When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].

AC-4(24)Access ControlInformation Flow Enforcement | Internal Normalized Format

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

AC-4(25)Access ControlInformation Flow Enforcement | Data Sanitization

When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]].

AC-4(26)Access ControlInformation Flow Enforcement | Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

AC-4(27)Access ControlInformation Flow Enforcement | Redundant/independent Filtering Mechanisms

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

AC-4(28)Access ControlInformation Flow Enforcement | Linear Filter Pipelines

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

AC-4(29)Access ControlInformation Flow Enforcement | Filter Orchestration Engines

When transferring information between different security domains, employ content filter orchestration engines to ensure that:
(a) Content filtering mechanisms successfully complete execution without errors; and
(b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy].

AC-4(30)Access ControlInformation Flow Enforcement | Filter Mechanisms Using Multiple Processes

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

AC-4(31)Access ControlInformation Flow Enforcement | Failed Content Transfer Prevention

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

AC-4(32)Access ControlInformation Flow Enforcement | Process Requirements for Information Transfer

When transferring information between different security domains, the process that transfers information between filter pipelines:
(a) Does not filter message content;
(b) Validates filtering metadata;
(c) Ensures the content associated with the filtering metadata has successfully completed filtering; and
(d) Transfers the content to the destination filter pipeline.

AC-5Access ControlSeparation of Duties

a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties.

AC-6Access ControlLeast Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

AC-6(1)Access ControlLeast Privilege | Authorize Access to Security Functions

Authorize access for [Assignment: organization-defined individuals or roles] to:
(a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
(b) [Assignment: organization-defined security-relevant information].

AC-6(2)Access ControlLeast Privilege | Non-privileged Access for Nonsecurity Functions

Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

AC-6(3)Access ControlLeast Privilege | Network Access to Privileged Commands

Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.

AC-6(4)Access ControlLeast Privilege | Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

AC-6(5)Access ControlLeast Privilege | Privileged Accounts

Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].

AC-6(6)Access ControlLeast Privilege | Privileged Access by Non-organizational Users

Prohibit privileged access to the system by non-organizational users.

AC-6(7)Access ControlLeast Privilege | Review of User Privileges

(a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

AC-6(8)Access ControlLeast Privilege | Privilege Levels for Code Execution

Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].

AC-6(9)Access ControlLeast Privilege | Log Use of Privileged Functions

Log the execution of privileged functions.

AC-6(10)Access ControlLeast Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

Prevent non-privileged users from executing privileged functions.

AC-7Access ControlUnsuccessful Logon Attempts

a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.

AC-17(8)Access ControlRemote Access | Disable Nonsecure Network Protocols

[Withdrawn: Incorporated into CM-7.]

AC-7(2)Access ControlUnsuccessful Logon Attempts | Purge or Wipe Mobile Device

Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.

AC-7(3)Access ControlUnsuccessful Logon Attempts | Biometric Attempt Limiting

Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].

AC-7(4)Access ControlUnsuccessful Logon Attempts | Use of Alternate Authentication Factor

(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
(b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].

AC-8Access ControlSystem Use Notification

a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
1. Users are accessing a U.S. Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4. Use of the system indicates consent to monitoring and recording;
b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
c. For publicly accessible systems:
1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;
2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Include a description of the authorized uses of the system.

AC-9Access ControlPrevious Logon Notification

Notify the user, upon successful logon to the system, of the date and time of the last logon.

AC-9(1)Access ControlPrevious Logon Notification | Unsuccessful Logons

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

AC-9(2)Access ControlPrevious Logon Notification | Successful and Unsuccessful Logons

Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].

AC-9(3)Access ControlPrevious Logon Notification | Notification of Account Changes

Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period].

AC-9(4)Access ControlPrevious Logon Notification | Additional Logon Information

Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].

AC-10Access ControlConcurrent Session Control

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

AC-11Access ControlDevice Lock

a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.

AC-11(1)Access ControlDevice Lock | Pattern-hiding Displays

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

AC-12Access ControlSession Termination

Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

AC-12(1)Access ControlSession Termination | User-initiated Logouts

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].

AC-12(2)Access ControlSession Termination | Termination Message

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

AC-12(3)Access ControlSession Termination | Timeout Warning Message

Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].

AC-18(2)Access ControlWireless Access | Monitoring Unauthorized Connections

[Withdrawn: Incorporated into SI-4.]

AC-14Access ControlPermitted Actions Without Identification or Authentication

a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

AC-19(1)Access ControlAccess Control for Mobile Devices | Use of Writable and Portable Storage Devices

[Withdrawn: Incorporated into MP-7.]

AC-19(2)Access ControlAccess Control for Mobile Devices | Use of Personally Owned Portable Storage Devices

[Withdrawn: Incorporated into MP-7.]

AC-16Access ControlSecurity and Privacy Attributes

a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
b. Ensure that the attribute associations are made and retained with the information;
c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];
e. Audit changes to attributes; and
f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].

AC-16(1)Access ControlSecurity and Privacy Attributes | Dynamic Attribute Association

Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].