AC-3(15)

  • Requirement

    1. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
    2. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
  • Discussion

    Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.

More Info

  • Title

    Access Enforcement | Discretionary and Mandatory Access Control
  • Family

    Access Control
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      SC-2;SC-3;AC-4

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!