home || catalog: SP800-53rev3 / class: Technical / family: (AC) Access Control ||
search controls:
search nistpubs:

AC

AC-01
AC-02 *
AC-03
AC-04
AC-05
AC-06
AC-07
AC-08
AC-09
AC-10
AC-11
AC-12
AC-13
AC-14
AC-15
AC-16
AC-17
AC-18
AC-19
AC-20
AC-21
AC-22

AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AC-02: Account Management  

base control objective:
The organization manages information system accounts, including:
a. [Assignment: organization-defined frequency]account types (i.e., individual, group, system, guest/anonymous, and temporary);
b. Establishing conditions for group membership;
c. Identifying authorized users of the information system and specifying access privileges;
d. Requiring appropriate approvals for requests to establish accounts;
e. Establishing, activating, modifying, disabling, and removing accounts;
f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
h. Deactivating temporary accounts that are no longer required and accounts of terminated or transferred users in accordance with organizational policy;
i. Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and
j. Reviewing accounts [Assignment: organization-defined frequency].

supplemental objective information:
The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access.

enhancements to the base objective:

(1) The organization employs automated mechanisms to support the management of information system accounts.

(2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

(3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period].

(4) The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals.

(5) The organization:
(a) Requires that users log out when [Assignment: organization defined time-period of expected inactivity and/or description of when to log out];
(b) Determines normal time-of-day and duration usage for information system accounts;
(c) Monitors for atypical usage of information system accounts; and
(d) Reports atypical usage to designated organizational officials.

(6) The information system dynamically manages user privileges and associated access authorizations.
Enhancement Supplemental Guidance: In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization.

(7) The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and
(b) Tracks and monitors privileged role assignments.
Enhancement Supplemental Guidance: Privileged roles include, for example, key management, network and system administration, database administration, web administration.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2) (3) (4)     HIGH: base (1) (2) (3) (4)  

related (regimented) controls:

AC-03   Access Enforcement
AC-04   Information Flow Enforcement
AC-05   Separation of Duties
AC-06   Least Privilege
AC-10   Concurrent Session Control
AC-17   Remote Access
AC-19   Access Control for Mobile Devices
AC-20   Use of External Information Systems
AU-09   Protection of Audit Information
IA-04   Identifier Management
IA-05   Authenticator Management
CM-05   Access Restrictions for Change
CM-06   Configuration Settings
MA-03   Maintenance Tools
MA-04   Non-local Maintenance
MA-05   Maintenance Personnel
SA-07   User Installed Software
SC-13   Use of Cryptography
SI-09   Information Input Restrictions

documents referenced in SP800-53rev3 for AC-02:

Document Date Status Title
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Search SP800-53rev3 catalog: