AC-3(10)

Requirement

Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].

Discussion

In certain situations, such as when there is a threat to human life or an event that threatens the organization's ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-2. Audit records are generated in AU-12.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; conditions for employing audited override of automated access control mechanisms; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities].

ID	Assessment Objectives
AC-03(10)	an audited override of automated access control mechanisms is employed under <AC-03(10)_ODP[01] conditions> by <AC-03(10)_ODP[02] roles>.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!