AC-3(5)

  • Requirement

    Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

  • Discussion

    Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.

More Info

  • Title

    Access Enforcement | Security-relevant Information
  • Family

    Access Control
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      CM-6;SC-39

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!