home || catalog: SP800-53rev3 / class: Technical / family: (AC) Access Control ||
search controls:
search nistpubs:


AC-03 *


  AC-03: Access Enforcement  

base control objective:
Control: The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

supplemental objective information:
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorized access at the information-system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. For classified, national security information, the cryptography used is largely dependent on the classification level of the information. Mechanisms implemented by AC-3 are configured to enforce authorizations determined by other security controls.

enhancements to the base objective:

(1) Withdrawn: Incorporated into AC-06.

(2) The information system enforces dual authorization, based on organizational policies and procedures for [Assignment: organization-defined privileged commands].
Enhancement Supplemental Guidance: Dual authorization mechanisms require two forms of approval to execute. The organization does not employ dual authorization mechanisms when an immediate response is necessary to ensure public and environmental safety.

(3) The information system enforces [Assignment: organization-defined nondiscretionary access control policies] over [Assignment: organization-defined set of users and resources] where the policy rule set for each policy specifies:
(a) Access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and
(b) Required relationships among the access control information to permit access.
Enhancement Supplemental Guidance: Nondiscretionary access control policies that may be implemented by organizations include, for example, Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control. Nondiscretionary access control policies may be employed by organizations in addition to the employment of discretionary access control policies. For Mandatory Access Control (MAC): Policy establishes coverage over all subjects and objects under its control to ensure that each user receives only that information to which the user is authorized access based on classification of the information, and on user clearance and formal access authorization. The information system assigns appropriate security attributes (e.g., labels/security domains/types) to subjects and objects, and uses these attributes as the basis for MAC decisions. The Bell-LaPadula security model defines allowed access as follows: A subject can read an object only if the security level of the subject dominates the security level of the object and a subject can write to an object only if two conditions are met: the security level of the object dominates the security level of the subject, and the security level of the user’s clearance dominates the security level of the object (no read up, no write down). For Role-Based Access Control (RBAC): Policy establishes coverage over all users and resources to ensure that access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role.

(4) The information system enforces a Discretionary Access Control (DAC) policy that:
(a) Allows users to specify and control sharing by named individuals or groups of individuals, or by both;
(b) Limits propagation of access rights; and
(c) Includes or excludes access to the granularity of a single user.

(5) The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non operable system states.
Enhancement Supplemental Guidance: Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. Secure, non operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown).

(6) The organization encrypts or stores off-line in a secure location [Assignment: organization-defined critical or sensitive user and/or system information].

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

AC-02   Account Management
AC-04   Information Flow Enforcement
AC-05   Separation of Duties
AC-06   Least Privilege
AC-16   Security Attributes
AC-17   Remote Access
AC-19   Access Control for Mobile Devices
AC-20   Use of External Information Systems
AU-09   Protection of Audit Information
CM-05   Access Restrictions for Change
CM-06   Configuration Settings
MA-03   Maintenance Tools
MA-04   Non-local Maintenance
MA-05   Maintenance Personnel
SA-07   User Installed Software
SC-13   Use of Cryptography
SI-09   Information Input Restrictions

documents referenced in SP800-53rev3 for AC-03:

Document Date Status Title
FIPS 140-2 May, 2001 current   Security Requirements for Cryptographic Modules
FIPS 201-1 March, 2006 current   Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-19 October, 1999 current   Mobile Agent Security
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-78 December, 2010 current   Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP800-87 January, 2006 current   Codes for Identification of Federal and Federally-Assisted Organizations
NIST SP800-95 August, 2006 DRAFT   Guide to Secure Web Services
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines
NIST SP800-98 September, 2006 DRAFT   Guidelines for Securing Radio Frequency Identification (RFID) Systems

Search SP800-53rev3 catalog: