AC-2(7)

Requirement
1. Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];
2. Monitor privileged role or attribute assignments;
3. Monitor changes to roles or attributes; and
4. Revoke access when privileged role or attribute assignments are no longer appropriate.

Discussion

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of privileged user accounts and associated roles; records of actions taken when privileged role assignments are no longer appropriate; system audit records; audit tracking and monitoring reports; system monitoring records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities].

Test

[SELECT FROM: Mechanisms implementing account management functions; mechanisms monitoring privileged role assignments].

ID	Assessment Objectives
AC-02(07)(a)	privileged user accounts are established and administered in accordance with <AC-02(07)_ODP SELECTED PARAMETER VALUE>;
AC-02(07)(b)	privileged role or attribute assignments are monitored;
AC-02(07)(c)	changes to roles or attributes are monitored;
AC-02(07)(d)	access is revoked when privileged role or attribute assignments are no longer appropriate.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!