Texas A&M University System Security Control Standards Catalog

Texas A&M University System Security Control Standards Catalog

Table of Contents
Family: Access Control (AC)

AC-1 Policy and Procedures

AC-2 Account Management

AC-3 Access Enforcement

AC-4 Information Flow Enforcement

AC-5 Separation of Duties

AC-6 Least Privilege

AC-7 Unsuccessful Logon Attempts

AC-8 System Use Notification

AC-9 Previous Logon Notification

AC-10 Concurrent Session Control

AC-11 Device Lock

AC-12 Session Termination

AC-13 Supervision and Review — Access Control

AC-14 Permitted Actions Without Identification or Authentication

AC-15 Automated Marking

AC-16 Security and Privacy Attributes

AC-17 Remote Access

AC-18 Wireless Access

AC-19 Access Control for Mobile Devices

AC-20 Use of External Systems

AC-21 Information Sharing

AC-22 Publicly Accessible Content

AC-23 Data Mining Protection

AC-24 Access Control Decisions

AC-25 Reference Monitor

Family: Awareness and Training (AT)

AT-1 Policy and Procedures

AT-2 Literacy Training and Awareness

AT-3 Role-based Training

AT-4 Training Records

AT-5 Contacts with Security Groups and Associations

AT-6 Training Feedback

Family: Audit and Accountability (AU)

AU-1 Policy and Procedures

AU-2 Event Logging

AU-3 Content of Audit Records

AU-4 Audit Log Storage Capacity

AU-5 Response to Audit Logging Process Failures

AU-6 Audit Record Review, Analysis, and Reporting

AU-7 Audit Record Reduction and Report Generation

AU-8 Time Stamps

AU-9 Protection of Audit Information

AU-10 Non-repudiation

AU-11 Audit Record Retention

AU-12 Audit Record Generation

AU-13 Monitoring for Information Disclosure

AU-14 Session Audit

AU-15 Alternate Audit Logging Capability

AU-16 Cross-organizational Audit Logging

Family: Assessment, Authorization, and Monitoring (CA)

CA-1 Policy and Procedures

CA-2 Control Assessments

CA-3 Information Exchange

CA-4 Security Certification

CA-5 Plan of Action and Milestones

CA-6 Authorization

CA-7 Continuous Monitoring

CA-8 Penetration Testing

CA-9 Internal System Connections

Family: Configuration Management (CM)

CM-1 Policy and Procedures

CM-2 Baseline Configuration

CM-3 Configuration Change Control

CM-4 Impact Analyses

CM-5 Access Restrictions for Change

CM-6 Configuration Settings

CM-7 Least Functionality

CM-8 System Component Inventory

CM-9 Configuration Management Plan

CM-10 Software Usage Restrictions

CM-11 User-installed Software

CM-12 Information Location

CM-13 Data Action Mapping

CM-14 Signed Components

Family: Contingency Planning (CP)

CP-1 Policy and Procedures

CP-2 Contingency Plan

CP-3 Contingency Training

CP-4 Contingency Plan Testing

CP-5 Contingency Plan Update

CP-6 Alternate Storage Site

CP-7 Alternate Processing Site

CP-8 Telecommunications Services

CP-9 System Backup

CP-10 System Recovery and Reconstitution

CP-11 Alternate Communications Protocols

CP-12 Safe Mode

CP-13 Alternative Security Mechanisms

Family: Identification and Authentication (IA)

IA-1 Policy and Procedures

IA-2 Identification and Authentication (Organizational Users)

IA-3 Device Identification and Authentication

IA-4 Identifier Management

IA-5 Authenticator Management

IA-6 Authentication Feedback

IA-7 Cryptographic Module Authentication

IA-8 Identification and Authentication (Non-organizational Users)

IA-9 Service Identification and Authentication

IA-10 Adaptive Authentication

IA-11 Re-authentication

IA-12 Identity Proofing

IA-13 Identity Providers and Authorization Servers

Family: Incident Response (IR)

IR-1 Policy and Procedures

IR-2 Incident Response Training

IR-3 Incident Response Testing

IR-4 Incident Handling

IR-5 Incident Monitoring

IR-6 Incident Reporting

IR-7 Incident Response Assistance

IR-8 Incident Response Plan

(1) Breaches

IR-9 Information Spillage Response

IR-10 Integrated Information Security Analysis Team

Family: Maintenance (MA)

MA-1 Policy and Procedures

MA-2 Controlled Maintenance

MA-3 Maintenance Tools

MA-4 Nonlocal Maintenance

MA-5 Maintenance Personnel

MA-6 Timely Maintenance

MA-7 Field Maintenance

Family: Media Protection (MP)

MP-1 Policy and Procedures

MP-2 Media Access

MP-3 Media Marking

MP-4 Media Storage

MP-5 Media Transport

MP-6 Media Sanitization

MP-7 Media Use

MP-8 Media Downgrading

Family: Physical and Environmental Protection (PE)

PE-1 Policy and Procedures

PE-2 Physical Access Authorizations

PE-3 Physical Access Control

PE-4 Access Control for Transmission

PE-5 Access Control for Output Devices

PE-6 Monitoring Physical Access

PE-7 Visitor Control

PE-8 Visitor Access Records

PE-9 Power Equipment and Cabling

PE-10 Emergency Shutoff

PE-11 Emergency Power

PE-12 Emergency Lighting

PE-13 Fire Protection

PE-14 Environmental Controls

PE-15 Water Damage Protection

PE-16 Delivery and Removal

PE-17 Alternate Work Site

PE-18 Location of System Components

PE-19 Information Leakage

PE-20 Asset Monitoring and Tracking

PE-21 Electromagnetic Pulse Protection

PE-22 Component Marking

PE-23 Facility Location

Family: Planning (PL)

PL-1 Policy and Procedures

PL-2 System Security and Privacy Plans

PL-3 System Security Plan Update

PL-4 Rules of Behavior

PL-5 Privacy Impact Assessment

PL-6 Security-related Activity Planning

PL-7 Concept of Operations

PL-8 Security and Privacy Architectures

PL-9 Central Management

PL-10 Baseline Selection

PL-11 Baseline Tailoring

Family: Program Management (PM)

PM-1 Information Security Program Plan

PM-2 Information Security Program Leadership Role

PM-3 Information Security and Privacy Resources

PM-4 Plan of Action and Milestones Process

PM-5 System Inventory

PM-6 Measures of Performance

PM-7 Enterprise Architecture

PM-8 Critical Infrastructure Plan

PM-9 Risk Management Strategy

PM-10 Authorization Process

PM-11 Mission and Business Process Definition

PM-12 Insider Threat Program

PM-13 Security and Privacy Workforce

PM-14 Testing, Training, and Monitoring

PM-15 Security and Privacy Groups and Associations

PM-16 Threat Awareness Program

PM-17 Protecting Controlled Unclassified Information on External Systems

PM-18 Privacy Program Plan

PM-19 Privacy Program Leadership Role

PM-20 Dissemination of Privacy Program Information

PM-21 Accounting of Disclosures

PM-22 Personally Identifiable Information Quality Management

PM-23 Data Governance Body

PM-24 Data Integrity Board

PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research

PM-26 Complaint Management

PM-27 Privacy Reporting

PM-28 Risk Framing

PM-29 Risk Management Program Leadership Roles

PM-30 Supply Chain Risk Management Strategy

PM-31 Continuous Monitoring Strategy

PM-32 Purposing

Family: Personnel Security (PS)

PS-1 Policy and Procedures

PS-2 Position Risk Designation

PS-3 Personnel Screening

PS-4 Personnel Termination

PS-5 Personnel Transfer

PS-6 Access Agreements

PS-7 External Personnel Security

PS-8 Personnel Sanctions

PS-9 Position Descriptions

Family: Personally Identifiable Information Processing and Transparency (PT)

PT-1 Policy and Procedures

PT-2 Authority to Process Personally Identifiable Information

PT-3 Personally Identifiable Information Processing Purposes

PT-4 Consent

PT-5 Privacy Notice

PT-6 System of Records Notice

PT-7 Specific Categories of Personally Identifiable Information

PT-8 Computer Matching Requirements

Family: Risk Assessment (RA)

RA-1 Policy and Procedures

RA-2 Security Categorization

RA-3 Risk Assessment

RA-4 Risk Assessment Update

RA-5 Vulnerability Monitoring and Scanning

RA-6 Technical Surveillance Countermeasures Survey

RA-7 Risk Response

RA-8 Privacy Impact Assessments

RA-9 Criticality Analysis

RA-10 Threat Hunting

Family: System and Services Acquisition (SA)

SA-1 Policy and Procedures

SA-2 Allocation of Resources

SA-3 System Development Life Cycle

SA-4 Acquisition Process

SA-5 System Documentation

SA-6 Software Usage Restrictions

SA-7 User-installed Software

SA-8 Security and Privacy Engineering Principles

SA-9 External System Services

SA-10 Developer Configuration Management

SA-11 Developer Testing and Evaluation

SA-12 Supply Chain Protection

SA-13 Trustworthiness

SA-14 Criticality Analysis

SA-15 Development Process, Standards, and Tools

SA-16 Developer-provided Training

SA-17 Developer Security and Privacy Architecture and Design

SA-18 Tamper Resistance and Detection

SA-19 Component Authenticity

SA-20 Customized Development of Critical Components

SA-21 Developer Screening

SA-22 Unsupported System Components

SA-23 Specialization

Family: System and Communications Protection (SC)

SC-1 Policy and Procedures

SC-2 Separation of System and User Functionality

SC-3 Security Function Isolation

SC-4 Information in Shared System Resources

SC-5 Denial-of-service Protection

SC-6 Resource Availability

SC-7 Boundary Protection

SC-8 Transmission Confidentiality and Integrity

SC-9 Transmission Confidentiality

SC-10 Network Disconnect

SC-11 Trusted Path

SC-12 Cryptographic Key Establishment and Management

SC-13 Cryptographic Protection

SC-14 Public Access Protections

SC-15 Collaborative Computing Devices and Applications

SC-16 Transmission of Security and Privacy Attributes

SC-17 Public Key Infrastructure Certificates

SC-18 Mobile Code

SC-19 Voice Over Internet Protocol

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)

SC-22 Architecture and Provisioning for Name/Address Resolution Service

SC-23 Session Authenticity

SC-24 Fail in Known State

SC-25 Thin Nodes

SC-26 Decoys

SC-27 Platform-independent Applications

SC-28 Protection of Information at Rest

SC-29 Heterogeneity

SC-30 Concealment and Misdirection

SC-31 Covert Channel Analysis

SC-32 System Partitioning

SC-33 Transmission Preparation Integrity

SC-34 Non-modifiable Executable Programs

SC-35 External Malicious Code Identification

SC-36 Distributed Processing and Storage

SC-37 Out-of-band Channels

SC-38 Operations Security

SC-39 Process Isolation

SC-40 Wireless Link Protection

SC-41 Port and I/O Device Access

SC-42 Sensor Capability and Data

SC-43 Usage Restrictions

SC-44 Detonation Chambers

SC-45 System Time Synchronization

SC-46 Cross Domain Policy Enforcement

SC-47 Alternate Communications Paths

SC-48 Sensor Relocation

SC-49 Hardware-enforced Separation and Policy Enforcement

SC-50 Software-enforced Separation and Policy Enforcement

SC-51 Hardware-based Protection

Family: System and Information Integrity (SI)

SI-1 Policy and Procedures

SI-2 Flaw Remediation

SI-3 Malicious Code Protection

SI-4 System Monitoring

SI-5 Security Alerts, Advisories, and Directives

SI-6 Security and Privacy Function Verification

SI-7 Software, Firmware, and Information Integrity

SI-8 Spam Protection

SI-9 Information Input Restrictions

SI-10 Information Input Validation

SI-11 Error Handling

SI-12 Information Management and Retention

SI-13 Predictable Failure Prevention

SI-14 Non-persistence

SI-15 Information Output Filtering

SI-16 Memory Protection

SI-17 Fail-safe Procedures

SI-18 Personally Identifiable Information Quality Operations

SI-19 De-identification

SI-20 Tainting

SI-21 Information Refresh

SI-22 Information Diversity

SI-23 Information Fragmentation

Family: Supply Chain Risk Management (SR)

SR-1 Policy and Procedures

SR-2 Supply Chain Risk Management Plan

SR-3 Supply Chain Controls and Processes

SR-4 Provenance

SR-5 Acquisition Strategies, Tools, and Methods

SR-6 Supplier Assessments and Reviews

SR-7 Supply Chain Operations Security

SR-8 Notification Agreements

SR-9 Tamper Resistance and Detection

SR-10 Inspection of Systems or Components

SR-11 Component Authenticity

SR-12 Component Disposal

References

Access Control - 25 controls
AC-1Policy and Procedures

Implementation Level: Organization

Contributes to Assurance: Yes

Texas DIR Baseline: LOW

Texas DIR Privacy Baseline: Yes

Texas DIR Required By: 2023-07-20

Control:

a.

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:

1.

[Selection: organization-level; mission/business process-level; system-level] access control policy that:

(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

2.

Procedures to facilitate the implementation of the access control policy and the associated access controls;

b.

Designate an [Assignment: official] to manage the development, documentation, and dissemination of the access control policy and procedures; and

c.

Review and update the current access control:

1.

Policy [Assignment: frequency] and following [Assignment: events] ; and

2.

Procedures [Assignment: frequency] and following [Assignment: events].

Discussion

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Assessment Objectives
AC-01a.[01]

an access control policy is developed and documented;

AC-01a.[02]

the access control policy is disseminated to [Assignment: personnel or roles];

AC-01a.[03]

access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;

AC-01a.[04]

the access control procedures are disseminated to [Assignment: personnel or roles];

AC-01a.01(a)[01]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses purpose;

AC-01a.01(a)[02]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses scope;

AC-01a.01(a)[03]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses roles;

AC-01a.01(a)[04]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses responsibilities;

AC-01a.01(a)[05]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses management commitment;

AC-01a.01(a)[06]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses coordination among organizational entities;

AC-01a.01(a)[07]

the [Selection: organization-level; mission/business process-level; system-level] access control policy addresses compliance;

AC-01a.01(b)

the [Selection: organization-level; mission/business process-level; system-level] access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

AC-01b.

the [Assignment: official] is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

AC-01c.01[01]

the current access control policy is reviewed and updated [Assignment: frequency];

AC-01c.01[02]

the current access control policy is reviewed and updated following [Assignment: events];

AC-01c.02[01]

the current access control procedures are reviewed and updated [Assignment: frequency];

AC-01c.02[02]

the current access control procedures are reviewed and updated following [Assignment: events].

Assessment Method: EXAMINE

Access control policy and procedures

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access control responsibilities

organizational personnel with information security with information security and privacy responsibilities

Related controls: IA-1, PM-9, PM-24, PS-8, SI-12.

Control enhancements
AC-2Account Management

Implementation Level: Organization

Texas DIR Baseline: LOW

Texas DIR Required By: 2023-07-20

Control:

a.

Define and document the types of accounts allowed and specifically prohibited for use within the system;

b.

Assign account managers;

c.

Require [Assignment: prerequisites and criteria] for group and role membership;

d.

Specify:

1.

Authorized users of the system;

2.

Group and role membership; and

3.

Access authorizations (i.e., privileges) and [Assignment: attributes (as required)] for each account;

e.

Require approvals by [Assignment: personnel or roles] for requests to create accounts;

f.

Create, enable, modify, disable, and remove accounts in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

g.

Monitor the use of accounts;

h.

Notify account managers and [Assignment: personnel or roles] within:

1.

[Assignment: time period] when accounts are no longer required;

2.

[Assignment: time period] when users are terminated or transferred; and

3.

[Assignment: time period] when system usage or need-to-know changes for an individual;

i.

Authorize access to the system based on:

1.

A valid access authorization;

2.

Intended system usage; and

3.

[Assignment: attributes (as required)];

j.

Review accounts for compliance with account management requirements [Assignment: frequency];

k.

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

l.

Align account management processes with personnel termination and transfer processes.

Texas DIR Implementation:

[Withdrawn: Moved to AC-6.]

Discussion

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

Assessment Objectives
AC-02a.[01]

account types allowed for use within the system are defined and documented;

AC-02a.[02]

account types specifically prohibited for use within the system are defined and documented;

AC-02b.

account managers are assigned;

AC-02c.

[Assignment: prerequisites and criteria] for group and role membership are required;

AC-02d.01

authorized users of the system are specified;

AC-02d.02

group and role membership are specified;

AC-02d.03[01]

access authorizations (i.e., privileges) are specified for each account;

AC-02d.03[02]

[Assignment: attributes (as required)] are specified for each account;

AC-02e.

approvals are required by [Assignment: personnel or roles] for requests to create accounts;

AC-02f.[01]

accounts are created in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

AC-02f.[02]

accounts are enabled in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

AC-02f.[03]

accounts are modified in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

AC-02f.[04]

accounts are disabled in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

AC-02f.[05]

accounts are removed in accordance with [Assignment: policy, procedures, prerequisites, and criteria];

AC-02g.

the use of accounts is monitored;

AC-02h.01

account managers and [Assignment: personnel or roles] are notified within [Assignment: time period] when accounts are no longer required;

AC-02h.02

account managers and [Assignment: personnel or roles] are notified within [Assignment: time period] when users are terminated or transferred;

AC-02h.03

account managers and [Assignment: personnel or roles] are notified within [Assignment: time period] when system usage or the need to know changes for an individual;

AC-02i.01

access to the system is authorized based on a valid access authorization;

AC-02i.02

access to the system is authorized based on intended system usage;

AC-02i.03

access to the system is authorized based on [Assignment: attributes (as required)];

AC-02j.

accounts are reviewed for compliance with account management requirements [Assignment: frequency];

AC-02k.[01]

a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

AC-02k.[02]

a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;

AC-02l.[01]

account management processes are aligned with personnel termination processes;

AC-02l.[02]

account management processes are aligned with personnel transfer processes.

Assessment Method: EXAMINE

Access control policy

personnel termination policy and procedure

personnel transfer policy and procedure

procedures for addressing account management

system design documentation

system configuration settings and associated documentation

list of active system accounts along with the name of the individual associated with each account

list of recently disabled system accounts and the name of the individual associated with each account

list of conditions for group and role membership

notifications of recent transfers, separations, or terminations of employees

access authorization records

account management compliance reviews

system monitoring records

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security with information security and privacy responsibilities

Assessment Method: TEST

Organizational processes for account management on the system

mechanisms for implementing account management

Related controls: AC-3, AC-5, AC-6, AC-17, AC-18, AC-20, AC-24, AU-2, AU-12, CM-5, IA-2, IA-4, IA-5, IA-8, MA-3, MA-5, PE-2, PL-4, PS-2, PS-4, PS-5, PS-7, PT-2, PT-3, SC-7, SC-12, SC-13, SC-37.

Control enhancements
AC-2(1)Account Management | Automated System Account Management

Implementation Level: Organization

Control: Support the management of system accounts using [Assignment: automated mechanisms].

Discussion

Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.

Assessment Objective
AC-02(01)

the management of system accounts is supported using [Assignment: automated mechanisms].

Assessment Method: EXAMINE

Access control policy

procedures for addressing account management

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security with information security responsibilities

system developers

Assessment Method: TEST

Automated mechanisms for implementing account management functions

AC-2(2)Account Management | Automated Temporary and Emergency Account Management

Implementation Level: System

Control: Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: time period].

Discussion

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

Assessment Objective
AC-02(02)

temporary and emergency accounts are automatically [Selection: remove; disable] after [Assignment: time period].

Assessment Method: EXAMINE

Access control policy

procedures for addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of temporary accounts removed and/or disabled

system-generated list of emergency accounts removed and/or disabled

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security with information security responsibilities

system developers

Assessment Method: TEST

Automated mechanisms for implementing account management functions

AC-2(3)Account Management | Disable Accounts

Implementation Level: System

Texas DIR Baseline: MODERATE

Texas DIR New Requirement: Yes

Texas DIR Required By: 2024-11-18

Control: Disable accounts within [Assignment: time period] when the accounts:

(a)

Have expired;

(b)

Are no longer associated with a user or individual;

(c)

Are in violation of organizational policy; or

(d)

Have been inactive for [Assignment: time period].

Discussion

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

Assessment Objectives
AC-02(03)(a)

accounts are disabled within [Assignment: time period] when the accounts have expired;

AC-02(03)(b)

accounts are disabled within [Assignment: time period] when the accounts are no longer associated with a user or individual;

AC-02(03)(c)

accounts are disabled within [Assignment: time period] when the accounts are in violation of organizational policy;

AC-02(03)(d)

accounts are disabled within [Assignment: time period] when the accounts have been inactive for [Assignment: time period].

Assessment Method: EXAMINE

Access control policy

procedures for addressing account management

system security plan

system design documentation

system configuration settings and associated documentation

system-generated list of accounts removed

system-generated list of emergency accounts disabled

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms for implementing account management functions

AC-2(4)Account Management | Automated Audit Actions

Implementation Level: System

Control: Automatically audit account creation, modification, enabling, disabling, and removal actions.

Discussion

Account management audit records are defined in accordance with AU-02 and reviewed, analyzed, and reported in accordance with AU-06.

Assessment Objectives
AC-02(04)[01]

account creation is automatically audited;

AC-02(04)[02]

account modification is automatically audited;

AC-02(04)[03]

account enabling is automatically audited;

AC-02(04)[04]

account disabling is automatically audited;

AC-02(04)[05]

account removal actions are automatically audited.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

notifications/alerts of account creation, modification, enabling, disabling, and removal actions

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Automated mechanisms implementing account management functions

Related controls: AU-2, AU-6.

AC-2(5)Account Management | Inactivity Logout

Implementation Level: Organization

Implementation Level: System

Control: Require that users log out when [Assignment: time period of expected inactivity or description of when to log out].

Discussion

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

Assessment Objective
AC-02(05)

users are required to log out when [Assignment: time period of expected inactivity or description of when to log out].

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

security violation reports

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

users that must comply with inactivity logout policy

Related control: AC-11.

AC-2(6)Account Management | Dynamic Privilege Management

Implementation Level: System

Control: Implement [Assignment: dynamic privilege management capabilities].

Discussion

In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.

Assessment Objective
AC-02(06)

[Assignment: dynamic privilege management capabilities] are implemented.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of dynamic privilege management capabilities

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

system or mechanisms implementing dynamic privilege management capabilities

Related control: AC-16.

AC-2(7)Account Management | Privileged User Accounts

Implementation Level: Organization

Texas A&M System Required By: 2022-08-01

Control:

(a)

Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];

(b)

Monitor privileged role or attribute assignments;

(c)

Monitor changes to roles or attributes; and

(d)

Revoke access when privileged role or attribute assignments are no longer appropriate.

Texas A&M System Implementation: Ensure users with privileged (also known as administrative or special access) accounts are aware of the extraordinary responsibilities associated with the use of privileged accounts.

Discussion

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

Assessment Objectives
AC-02(07)(a)

privileged user accounts are established and administered in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];

AC-02(07)(b)

privileged role or attribute assignments are monitored;

AC-02(07)(c)

changes to roles or attributes are monitored;

AC-02(07)(d)

access is revoked when privileged role or attribute assignments are no longer appropriate.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of privileged user accounts and associated roles

records of actions taken when privileged role assignments are no longer appropriate

system audit records

audit tracking and monitoring reports

system monitoring records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing account management functions

mechanisms monitoring privileged role assignments

AC-2(8)Account Management | Dynamic Account Management

Implementation Level: System

Control: Create, activate, manage, and deactivate [Assignment: system accounts] dynamically.

Discussion

Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.

Assessment Objectives
AC-02(08)[01]

[Assignment: system accounts] are created dynamically;

AC-02(08)[02]

[Assignment: system accounts] are activated dynamically;

AC-02(08)[03]

[Assignment: system accounts] are managed dynamically;

AC-02(08)[04]

[Assignment: system accounts] are deactivated dynamically.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of system accounts

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Automated mechanisms implementing account management functions

Related control: AC-16.

AC-2(9)Account Management | Restrictions on Use of Shared and Group Accounts

Implementation Level: Organization

Control: Only permit the use of shared and group accounts that meet [Assignment: conditions].

Discussion

Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.

Assessment Objective
AC-02(09)

the use of shared and group accounts is only permitted if [Assignment: conditions] are met.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of shared/group accounts and associated roles

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing management of shared/group accounts

AC-2(10)Account Management | Shared and Group Account Credential Change

[Withdrawn: Incorporated into AC-02 AC-2 AC-02k.]

AC-2(11)Account Management | Usage Conditions

Implementation Level: System

Control: Enforce [Assignment: circumstances and/or usage conditions] for [Assignment: system accounts].

Discussion

Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.

Assessment Objective
AC-02(11)

[Assignment: circumstances and/or usage conditions] for [Assignment: system accounts] are enforced.

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing account management functions

AC-2(12)Account Management | Account Monitoring for Atypical Usage

Implementation Level: Organization

Implementation Level: System

Control:

(a)

Monitor system accounts for [Assignment: atypical usage] ; and

(b)

Report atypical usage of system accounts to [Assignment: personnel or roles].

Discussion

Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

Assessment Objectives
AC-02(12)(a)

system accounts are monitored for [Assignment: atypical usage];

AC-02(12)(b)

atypical usage of system accounts is reported to [Assignment: personnel or roles].

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system monitoring records

system audit records

audit tracking and monitoring reports

privacy impact assessment

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing account management functions

Related controls: AU-6, AU-7, CA-7, IR-8, SI-4.

AC-2(13)Account Management | Disable Accounts for High-risk Individuals

Implementation Level: Organization

Control: Disable accounts of individuals within [Assignment: time period] of discovery of [Assignment: significant risks].

Discussion

Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.

Assessment Objective
AC-02(13)

accounts of individuals are disabled within [Assignment: time period] of discovery of [Assignment: significant risks].

Assessment Method: EXAMINE

Access control policy

procedures addressing account management

system design documentation

system configuration settings and associated documentation

system-generated list of disabled accounts

list of user activities posing significant organizational risk

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with account management responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing account management functions

Related controls: AU-6, SI-4.

AC-3Access Enforcement

Implementation Level: System

Texas DIR Baseline: LOW

Texas DIR Required By: 2023-01-20

Control: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Texas DIR Implementation:

[Withdrawn.]

Discussion

Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.

Assessment Objective
AC-03

approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of approved authorizations (user privileges)

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy

Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AC-24, AC-25, AT-2, AT-3, AU-9, CA-9, CM-5, CM-11, IA-2, IA-5, IA-6, IA-7, IA-11, IA-13, MA-3, MA-4, MA-5, MP-4, PM-2, PS-3, PT-2, PT-3, SA-17, SC-2, SC-3, SC-4, SC-12, SC-13, SC-28, SC-31, SC-34, SI-4, SI-8.

Control enhancements
AC-3(1)Access Enforcement | Restricted Access to Privileged Functions

[Withdrawn: Incorporated into AC-6.]

AC-3(2)Access Enforcement | Dual Authorization

Implementation Level: System

Control: Enforce dual authorization for [Assignment: privileged commands and/or other actions].

Discussion

Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.

Assessment Objective
AC-03(02)

dual authorization is enforced for [Assignment: privileged commands and/or other actions].

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement and dual authorization

system design documentation

system configuration settings and associated documentation

list of privileged commands requiring dual authorization

list of actions requiring dual authorization

list of approved authorizations (user privileges)

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Dual authorization mechanisms implementing access control policy

Related controls: CP-9, MP-6.

AC-3(3)Access Enforcement | Mandatory Access Control

Implementation Level: System

Control: Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:

(a)

Is uniformly enforced across the covered subjects and objects within the system;

(b)

Specifies that a subject that has been granted access to information is constrained from doing any of the following;

(1)

Passing the information to unauthorized subjects or objects;

(2)

Granting its privileges to other subjects;

(3)

Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;

(4)

Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and

(5)

Changing the rules governing access control; and

(c)

Specifies that [Assignment: subjects] may explicitly be granted [Assignment: privileges] such that they are not limited by any defined subset (or all) of the above constraints.

Discussion

Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25 . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).

The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6 ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.

Assessment Objectives
AC-03(03)[01]

[Assignment: mandatory access control policy] is enforced over the set of covered subjects specified in the policy;

AC-03(03)[02]

[Assignment: mandatory access control policy] is enforced over the set of covered objects specified in the policy;

AC-03(03)(a)[01]

[Assignment: mandatory access control policy] is uniformly enforced across the covered subjects within the system;

AC-03(03)(a)[02]

[Assignment: mandatory access control policy] is uniformly enforced across the covered objects within the system;

AC-03(03)(b)(01)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;

AC-03(03)(b)(02)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;

AC-03(03)(b)(03)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;

AC-03(03)(b)(04)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;

AC-03(03)(b)(05)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;

AC-03(03)(c)

[Assignment: mandatory access control policy] and [Assignment: mandatory access control policy] specifying that [Assignment: subjects] may explicitly be granted [Assignment: privileges] such that they are not limited by any defined subset (or all) of the above constraints are enforced.

Assessment Method: EXAMINE

Access control policy

mandatory access control policies

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Automated mechanisms implementing mandatory access control

Related control: SC-7.

AC-3(4)Access Enforcement | Discretionary Access Control

Implementation Level: System

Control: Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:

(a)

Pass the information to any other subjects or objects;

(b)

Grant its privileges to other subjects;

(c)

Change security attributes on subjects, objects, the system, or the system’s components;

(d)

Choose the security attributes to be associated with newly created or revised objects; or

(e)

Change the rules governing access control.

Discussion

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.

Assessment Objectives
AC-03(04)[01]

[Assignment: discretionary access control policy] is enforced over the set of covered subjects specified in the policy;

AC-03(04)[02]

[Assignment: discretionary access control policy] is enforced over the set of covered objects specified in the policy;

AC-03(04)(a)

[Assignment: discretionary access control policy] and [Assignment: discretionary access control policy] are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;

AC-03(04)(b)

[Assignment: discretionary access control policy] and [Assignment: discretionary access control policy] are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;

AC-03(04)(c)

[Assignment: discretionary access control policy] and [Assignment: discretionary access control policy] are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;

AC-03(04)(d)

[Assignment: discretionary access control policy] and [Assignment: discretionary access control policy] are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;

AC-03(04)(e)

[Assignment: discretionary access control policy] and [Assignment: discretionary access control policy] are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.

Assessment Method: EXAMINE

Access control policy

discretionary access control policies

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing discretionary access control policy

AC-3(5)Access Enforcement | Security-relevant Information

Implementation Level: System

Control: Prevent access to [Assignment: security-relevant information] except during secure, non-operable system states.

Discussion

Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.

Assessment Objective
AC-03(05)

access to [Assignment: security-relevant information] is prevented except during secure, non-operable system states.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms preventing access to security-relevant information within the system

Related controls: CM-6, SC-39.

AC-3(6)Access Enforcement | Protection of User and System Information

[Withdrawn: Incorporated into MP-4, SC-28.]

AC-3(7)Access Enforcement | Role-based Access Control

Implementation Level: Organization

Implementation Level: System

Texas A&M System Required By: 2022-08-01

Control: Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

Texas A&M System Implementation: Implement role-based (e.g., students, employees, third parties, guests) access control or adopt an InCommon Federation assurance profile roles, where possible.

Discussion

Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

Assessment Objectives
AC-03(07)[01]

a role-based access control policy is enforced over defined subjects;

AC-03(07)[02]

a role-based access control policy is enforced over defined objects;

AC-03(07)[03]

access is controlled based on [Assignment: roles] and [Assignment: users authorized to assume such roles].

Assessment Method: EXAMINE

Access control policy

role-based access control policies

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of roles, users, and associated privileges required to control system access

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing role-based access control policy

AC-3(8)Access Enforcement | Revocation of Access Authorizations

Implementation Level: Organization

Implementation Level: System

Control: Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: rules].

Discussion

Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.

Assessment Objectives
AC-03(08)[01]

revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on [Assignment: rules];

AC-03(08)[02]

revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on [Assignment: rules].

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

rules governing revocation of access authorizations, system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access enforcement functions

AC-3(9)Access Enforcement | Controlled Release

Implementation Level: Organization

Implementation Level: System

Control: Release information outside of the system only if:

(a)

The receiving [Assignment: system or system component] provides [Assignment: controls] ; and

(b)

[Assignment: controls] are used to validate the appropriateness of the information designated for release.

Discussion

Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.

Controlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer.

Assessment Objectives
AC-03(09)(a)

information is released outside of the system only if the receiving [Assignment: system or system component] provides [Assignment: controls];

AC-03(09)(b)

information is released outside of the system only if [Assignment: controls] are used to validate the appropriateness of the information designated for release.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of security and privacy safeguards provided by receiving system or system components

list of security and privacy safeguards validating appropriateness of information designated for release

system audit records

results of period assessments (inspections/tests) of the external system

information sharing agreements

memoranda of understanding

acquisitions/contractual agreements

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security and privacy responsibilities

organizational personnel with responsibility for acquisitions/contractual agreements

legal counsel

system developers

Assessment Method: TEST

Mechanisms implementing access enforcement functions

Related controls: CA-3, PT-7, PT-8, SA-9, SC-16.

AC-3(10)Access Enforcement | Audited Override of Access Control Mechanisms

Implementation Level: Organization

Control: Employ an audited override of automated access control mechanisms under [Assignment: conditions] by [Assignment: roles].

Discussion

In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-2 . Audit records are generated in AU-12.

Assessment Objective
AC-03(10)

an audited override of automated access control mechanisms is employed under [Assignment: conditions] by [Assignment: roles].

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

conditions for employing audited override of automated access control mechanisms

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access enforcement functions

Related controls: AU-2, AU-6, AU-10, AU-12, AU-14.

AC-3(11)Access Enforcement | Restrict Access to Specific Information Types

Implementation Level: System

Control: Restrict access to data repositories containing [Assignment: information types].

Discussion

Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.

Assessment Objective
AC-03(11)

access to data repositories containing [Assignment: information types] is restricted.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

organizational personnel with responsibilities for data repositories

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access enforcement functions

Related controls: CM-8, CM-12, CM-13, PM-5.

AC-3(12)Access Enforcement | Assert and Enforce Application Access

Implementation Level: System

Control:

(a)

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: system applications and functions];

(b)

Provide an enforcement mechanism to prevent unauthorized access; and

(c)

Approve access changes after initial installation of the application.

Discussion

Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files.

Assessment Objectives
AC-03(12)(a)

as part of the installation process, applications are required to assert the access needed to the following system applications and functions: [Assignment: system applications and functions];

AC-03(12)(b)

an enforcement mechanism to prevent unauthorized access is provided;

AC-03(12)(c)

access changes after initial installation of the application are approved.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access enforcement functions

Related control: CM-7.

AC-3(13)Access Enforcement | Attribute-based Access Control

Implementation Level: System

Control: Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: attributes].

Discussion

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

Assessment Objectives
AC-03(13)[01]

the attribute-based access control policy is enforced over defined subjects;

AC-03(13)[02]

the attribute-based access control policy is enforced over defined objects;

AC-03(13)[03]

access is controlled based on [Assignment: attributes].

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access enforcement functions

AC-3(14)Access Enforcement | Individual Access

Implementation Level: System

Control: Provide [Assignment: mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: elements].

Discussion

Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, PRIVACT processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the PRIVACT ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.

Assessment Objective
AC-03(14)

[Assignment: mechanisms] are provided to enable individuals to have access to [Assignment: elements] of their personally identifiable information.

Assessment Method: EXAMINE

Access mechanisms (e.g., request forms and application interfaces)

access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

documentation regarding access to an individual’s personally identifiable information

system audit records

system security plan

privacy plan

privacy impact assessment

privacy assessment findings and/or reports

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security and privacy responsibilities

legal counsel

Assessment Method: TEST

Mechanisms implementing access enforcement functions

mechanisms enabling individual access to personally identifiable information

Related controls: IA-8, PM-22, PM-20, PM-21, PT-6.

AC-3(15)Access Enforcement | Discretionary and Mandatory Access Control

Implementation Level: System

Control:

(a)

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and

(b)

Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.

Discussion

Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.

Assessment Objectives
AC-03(15)(a)[01]

[Assignment: mandatory access control policy] is enforced over the set of covered subjects specified in the policy;

AC-03(15)(a)[02]

[Assignment: mandatory access control policy] is enforced over the set of covered objects specified in the policy;

AC-03(15)(b)[01]

[Assignment: discretionary access control policy] is enforced over the set of covered subjects specified in the policy;

AC-03(15)(b)[02]

[Assignment: discretionary access control policy] is enforced over the set of covered objects specified in the policy.

Assessment Method: EXAMINE

Access control policy

procedures addressing access enforcement

system design documentation

system configuration settings and associated documentation

list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies

list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with access enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing mandatory and discretionary access control policy

Related controls: SC-2, SC-3, AC-4.

AC-4Information Flow Enforcement

Implementation Level: System

Control: Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: information flow control policies].

Discussion

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

Assessment Objective
AC-04

approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on [Assignment: information flow control policies].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

security architecture documentation

privacy architecture documentation

system design documentation

system configuration settings and associated documentation

system baseline configuration

list of information flow authorizations

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy architecture development responsibilities

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related controls: AC-3, AC-6, AC-16, AC-17, AC-19, AC-21, AU-10, CA-3, CA-9, CM-7, PL-9, PM-24, SA-17, SC-4, SC-7, SC-16, SC-31.

Control enhancements
AC-4(1)Information Flow Enforcement | Object Security and Privacy Attributes

Implementation Level: System

Control: Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: information flow control policies] as a basis for flow control decisions.

Discussion

Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.

Assessment Objectives
AC-04(01)[01]

[Assignment: security attributes] associated with [Assignment: information objects], [Assignment: source objects] , and [Assignment: destination objects] are used to enforce [Assignment: information flow control policies] as a basis for flow control decisions;

AC-04(01)[02]

[Assignment: privacy attributes] associated with [Assignment: information objects], [Assignment: source objects] , and [Assignment: destination objects] are used to enforce [Assignment: information flow control policies] as a basis for flow control decisions.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security and privacy attributes and associated source and destination objects

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

organizational personnel with privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

AC-4(2)Information Flow Enforcement | Processing Domains

Implementation Level: System

Control: Use protected processing domains to enforce [Assignment: information flow control policies] as a basis for flow control decisions.

Discussion

Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.

Assessment Objective
AC-04(02)

protected processing domains are used to enforce [Assignment: information flow control policies] as a basis for flow control decisions.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system security architecture and associated documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related control: SC-39.

AC-4(3)Information Flow Enforcement | Dynamic Information Flow Control

Implementation Level: System

Control: Enforce [Assignment: information flow control policies].

Discussion

Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events.

Assessment Objective
AC-04(03)

[Assignment: information flow control policies] are enforced.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system security architecture and associated documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related control: SI-4.

AC-4(4)Information Flow Enforcement | Flow Control of Encrypted Information

Implementation Level: System

Control: Prevent encrypted information from bypassing [Assignment: information flow control mechanisms] by [Selection: decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ].

Discussion

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

Assessment Objective
AC-04(04)

encrypted information is prevented from bypassing [Assignment: information flow control mechanisms] by [Selection: decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related control: SI-4.

AC-4(5)Information Flow Enforcement | Embedded Data Types

Implementation Level: System

Control: Enforce [Assignment: limitations] on embedding data types within other data types.

Discussion

Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.

Assessment Objective
AC-04(05)

[Assignment: limitations] are enforced on embedding data types within other data types.

Assessment Method: EXAMINE

Access control policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of limitations to be enforced on embedding data types within other data types

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

AC-4(6)Information Flow Enforcement | Metadata

Implementation Level: System

Control: Enforce information flow control based on [Assignment: metadata].

Discussion

Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).

Assessment Objective
AC-04(06)

information flow control enforcement is based on [Assignment: metadata].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

types of metadata used to enforce information flow control decisions

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related controls: AC-16, SI-7.

AC-4(7)Information Flow Enforcement | One-way Flow Mechanisms

Implementation Level: System

Control: Enforce one-way information flows through hardware-based flow control mechanisms.

Discussion

One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported.

Assessment Objective
AC-04(07)

one-way information flows are enforced through hardware-based flow control mechanisms.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system hardware mechanisms and associated configurations

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Hardware mechanisms implementing information flow enforcement policy

AC-4(8)Information Flow Enforcement | Security and Privacy Policy Filters

Implementation Level: System

Control:

(a)

Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows] ; and

(b)

[Selection: block; strip; modify; quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].

Discussion

Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.

Assessment Objectives
AC-04(08)(a)[01]

information flow control is enforced using [Assignment: security policy filter] as a basis for flow control decisions for [Assignment: information flows];

AC-04(08)(a)[02]

information flow control is enforced using [Assignment: privacy policy filter] as a basis for flow control decisions for [Assignment: information flows];

AC-04(08)(b)

[Selection: block; strip; modify; quarantine] data after a filter processing failure in accordance with [Assignment: security policy];

[Selection: block; strip; modify; quarantine] data after a filter processing failure in accordance with [Assignment: privacy policy].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security policy filters regulating flow control decisions

list of privacy policy filters regulating flow control decisions

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

security and privacy policy filters

AC-4(9)Information Flow Enforcement | Human Reviews

Implementation Level: Organization

Implementation Level: System

Control: Enforce the use of human reviews for [Assignment: information flows] under the following conditions: [Assignment: conditions].

Discussion

Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.

Assessment Objective
AC-04(09)

human reviews are used for [Assignment: information flows] under [Assignment: conditions].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

records of human reviews regarding information flows

list of information flows requiring the use of human reviews

list of conditions requiring human reviews for information flows

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

organizational personnel with information flow enforcement responsibilities

system developers

Assessment Method: TEST

Mechanisms enforcing the use of human reviews

AC-4(10)Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

Implementation Level: System

Control: Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].

Discussion

For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed.

Assessment Objectives
AC-04(10)[01]

capability is provided for privileged administrators to enable and disable [Assignment: security filters] under [Assignment: conditions];

AC-04(10)[02]

capability is provided for privileged administrators to enable and disable [Assignment: privacy filters] under [Assignment: conditions].

Assessment Method: EXAMINE

Access control policy

information flow information policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security policy filters enabled/disabled by privileged administrators

list of privacy policy filters enabled/disabled by privileged administrators

list of approved data types for enabling/disabling by privileged administrators

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for enabling/disabling security and privacy policy filters

system/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

security and privacy policy filters

AC-4(11)Information Flow Enforcement | Configuration of Security or Privacy Policy Filters

Implementation Level: System

Control: Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.

Discussion

Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations.

Assessment Objectives
AC-04(11)[01]

capability is provided for privileged administrators to configure [Assignment: security policy filters] to support different security or privacy policies;

AC-04(11)[02]

capability is provided for privileged administrators to configure [Assignment: privacy policy filters] to support different security or privacy policies.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security policy filters

list of privacy policy filters

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for configuring security and privacy policy filters

system/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

security and privacy policy filters

AC-4(12)Information Flow Enforcement | Data Type Identifiers

Implementation Level: System

Control: When transferring information between different security domains, use [Assignment: data type identifiers] to validate data essential for information flow decisions.

Discussion

Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type.

Assessment Objective
AC-04(12)

when transferring information between different security domains, [Assignment: data type identifiers] are used to validate data essential for information flow decisions.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of data type identifiers

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

AC-4(13)Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents

Implementation Level: System

Control: When transferring information between different security domains, decompose information into [Assignment: policy-relevant subcomponents] for submission to policy enforcement mechanisms.

Discussion

Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains.

Assessment Objective
AC-04(13)

when transferring information between different security domains, information is decomposed into [Assignment: policy-relevant subcomponents] for submission to policy enforcement mechanisms.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

AC-4(14)Information Flow Enforcement | Security or Privacy Policy Filter Constraints

Implementation Level: System

Control: When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.

Discussion

Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures.

Assessment Objectives
AC-04(14)[01]

when transferring information between different security domains, implemented [Assignment: security policy filters] require fully enumerated formats that restrict data structure and content;

AC-04(14)[02]

when transferring information between different security domains, implemented [Assignment: privacy policy filters] require fully enumerated formats that restrict data structure and content.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security and privacy policy filters

list of data structure policy filters

list of data content policy filters

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

security and privacy policy filters

AC-4(15)Information Flow Enforcement | Detection of Unsanctioned Information

Implementation Level: System

Control: When transferring information between different security domains, examine the information for the presence of [Assignment: unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].

Discussion

Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network.

Assessment Objectives
AC-04(15)[01]

when transferring information between different security domains, information is examined for the presence of [Assignment: unsanctioned information];

AC-04(15)[02]

when transferring information between different security domains, transfer of [Assignment: unsanctioned information] is prohibited in accordance with the [Assignment: security policy];

AC-04(15)[03]

when transferring information between different security domains, transfer of [Assignment: unsanctioned information] is prohibited in accordance with the [Assignment: privacy policy].

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of unsanctioned information types and associated information

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information security responsibilities

organizational personnel with privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related control: SI-3.

AC-4(16)Information Flow Enforcement | Information Transfers on Interconnected Systems

[Withdrawn: Incorporated into AC-4.]

AC-4(17)Information Flow Enforcement | Domain Authentication

Implementation Level: System

Control: Uniquely identify and authenticate source and destination points by [Selection: organization, system, application, service, individual] for information transfer.

Discussion

Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.

Assessment Objective
AC-04(17)

source and destination points are uniquely identified and authenticated by [Selection: organization, system, application, service, individual] for information transfer.

Assessment Method: EXAMINE

Access control policy

information flow control policies

procedures addressing information flow enforcement

procedures addressing source and destination domain identification and authentication

system design documentation

system configuration settings and associated documentation

system audit records

list of system labels

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement policy

Related controls: IA-2, IA-3, IA-9.

AC-4(18)Information Flow Enforcement | Security Attribute Binding

[Withdrawn: Incorporated into AC-16.]

AC-4(19)Information Flow Enforcement | Validation of Metadata

Implementation Level: System

Control: When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.

Discussion

All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload.

Assessment Objectives
AC-04(19)[01]

when transferring information between different security domains, [Assignment: security policy filters] are implemented on metadata;

AC-04(19)[02]

when transferring information between different security domains, [Assignment: privacy policy filters] are implemented on metadata.

Assessment Method: EXAMINE

Information flow enforcement policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of security policy filtering criteria applied to metadata and data payloads

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

organizational personnel with privacy responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

security and policy filters

AC-4(20)Information Flow Enforcement | Approved Solutions

Implementation Level: Organization

Control: Employ [Assignment: solutions in approved configurations] to control the flow of [Assignment: information] across security domains.

Discussion

Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact ncdsmo@nsa.gov for more information.

Assessment Objective
AC-04(20)

[Assignment: solutions in approved configurations] are employed to control the flow of [Assignment: information] across security domains.

Assessment Method: EXAMINE

Information flow enforcement policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of solutions in approved configurations

approved configuration baselines

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(21)Information Flow Enforcement | Physical or Logical Separation of Information Flows

Implementation Level: Organization

Implementation Level: System

Control: Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: required separations].

Discussion

Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.

Assessment Objectives
AC-04(21)[01]

information flows are separated logically using [Assignment: mechanisms and/or techniques] to accomplish [Assignment: required separations];

AC-04(21)[02]

information flows are separated physically using [Assignment: mechanisms and/or techniques] to accomplish [Assignment: required separations].

Assessment Method: EXAMINE

Information flow enforcement policy

information flow control policies

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

list of required separation of information flows by information types

list of mechanisms and/or techniques used to logically or physically separate information flows

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

Related control: SC-32.

AC-4(22)Information Flow Enforcement | Access Only

Implementation Level: System

Control: Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

Discussion

The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate.

Assessment Objective
AC-04(22)

access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(23)Information Flow Enforcement | Modify Non-releasable Information

Implementation Level: Organization

Implementation Level: System

Control: When transferring information between different security domains, modify non-releasable information by implementing [Assignment: modification action].

Discussion

Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction.

Assessment Objective
AC-04(23)

when transferring information between security domains, non-releasable information is modified by implementing [Assignment: modification action].

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(24)Information Flow Enforcement | Internal Normalized Format

Implementation Level: System

Control: When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

Discussion

Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration.

Assessment Objectives
AC-04(24)[01]

when transferring information between different security domains, incoming data is parsed into an internal, normalized format;

AC-04(24)[02]

when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(25)Information Flow Enforcement | Data Sanitization

Implementation Level: System

Control: When transferring information between different security domains, sanitize data to minimize [Selection: delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data; spillage of sensitive information] in accordance with [Assignment: policy].

Discussion

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form.

Assessment Objective
AC-04(25)

when transferring information between different security domains, data is sanitized to minimize [Selection: delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data; spillage of sensitive information] in accordance with [Assignment: policy].

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

Related control: MP-6.

AC-4(26)Information Flow Enforcement | Audit Filtering Actions

Implementation Level: Organization

Implementation Level: System

Control: When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

Discussion

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-2 . Audit records are generated in AU-12.

Assessment Objectives
AC-04(26)[01]

when transferring information between different security domains, content-filtering actions are recorded and audited;

AC-04(26)[02]

when transferring information between different security domains, results for the information being filtered are recorded and audited.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

mechanisms implementing content filtering

mechanisms recording and auditing content filtering

Related controls: AU-2, AU-3, AU-12.

AC-4(27)Information Flow Enforcement | Redundant/Independent Filtering Mechanisms

Implementation Level: System

Control: When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

Discussion

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes.

Assessment Objective
AC-04(27)

when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(28)Information Flow Enforcement | Linear Filter Pipelines

Implementation Level: System

Control: When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

Discussion

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues.

Assessment Objective
AC-04(28)

when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

mechanisms implementing linear content filters

AC-4(29)Information Flow Enforcement | Filter Orchestration Engines

Implementation Level: Organization

Implementation Level: System

Control: When transferring information between different security domains, employ content filter orchestration engines to ensure that:

(a)

Content filtering mechanisms successfully complete execution without errors; and

(b)

Content filtering actions occur in the correct order and comply with [Assignment: policy].

Discussion

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully.

Assessment Objectives
AC-04(29)(a)

when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;

AC-04(29)(b)[01]

when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;

AC-04(29)(b)[02]

when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with [Assignment: policy].

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

mechanisms implementing content filter orchestration engines

AC-4(30)Information Flow Enforcement | Filter Mechanisms Using Multiple Processes

Implementation Level: System

Control: When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

Discussion

The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure.

Assessment Objective
AC-04(30)

when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

mechanisms implementing content filtering

AC-4(31)Information Flow Enforcement | Failed Content Transfer Prevention

Implementation Level: System

Control: When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

Discussion

Content that failed filtering checks can corrupt the system if transferred to the receiving domain.

Assessment Objective
AC-04(31)

when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

AC-4(32)Information Flow Enforcement | Process Requirements for Information Transfer

Implementation Level: System

Control: When transferring information between different security domains, the process that transfers information between filter pipelines:

(a)

Does not filter message content;

(b)

Validates filtering metadata;

(c)

Ensures the content associated with the filtering metadata has successfully completed filtering; and

(d)

Transfers the content to the destination filter pipeline.

Discussion

The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly.

Assessment Objectives
AC-04(32)(a)

when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;

AC-04(32)(b)

when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;

AC-04(32)(c)

when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;

AC-04(32)(d)

when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.

Assessment Method: EXAMINE

Information flow enforcement policy

procedures addressing information flow enforcement

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information flow enforcement responsibilities

system/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing information flow enforcement functions

mechanisms implementing content filtering

AC-5Separation of Duties

Implementation Level: Organization

Texas DIR Baseline: MODERATE

Texas DIR Required By: 2023-07-20

Control:

a.

Identify and document [Assignment: duties of individuals] ; and

b.

Define system access authorizations to support separation of duties.

Discussion

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.

Assessment Objectives
AC-05a.

[Assignment: duties of individuals] are identified and documented;

AC-05b.

system access authorizations to support separation of duties are defined.

Assessment Method: EXAMINE

Access control policy

procedures addressing divisions of responsibility and separation of duties

system configuration settings and associated documentation

list of divisions of responsibility and separation of duties

system access authorizations

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing separation of duties policy

Related controls: AC-2, AC-3, AC-6, AU-9, CM-5, CM-11, CP-9, IA-2, IA-4, IA-5, IA-12, MA-3, MA-5, PS-2, SA-8, SA-17.

Control enhancements
References
AC-6Least Privilege

Implementation Level: Organization

Texas DIR Baseline: MODERATE

Texas DIR Required By: 2023-07-20

Control: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Texas DIR Implementation: Confidential information shall be accessible only to authorized users. An information file or record containing any confidential information shall be identified, documented, and protected in its entirety. Information resources assigned from one state organization to another or from a state organization to a contractor or other third party, at a minimum, shall be protected in accordance with the conditions imposed by the providing state organization.

Discussion

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

Assessment Objective
AC-06

the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of assigned access authorizations (user privileges)

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: AC-2, AC-3, AC-5, AC-16, CM-5, CM-11, PL-2, PM-12, SA-8, SA-15, SA-17, SC-38.

Control enhancements
AC-6(1)Least Privilege | Authorize Access to Security Functions

Implementation Level: Organization

Control: Authorize access for [Assignment: individuals and roles] to:

(a)

[Assignment: organization-defined security functions (deployed in hardware, software, and firmware)] ; and

(b)

[Assignment: security-relevant information].

Discussion

Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

Assessment Objectives
AC-06(01)(a)[01]

access is authorized for [Assignment: individuals and roles] to [Assignment: security functions (deployed in hardware)];

AC-06(01)(a)[02]

access is authorized for [Assignment: individuals and roles] to [Assignment: security functions (deployed in software)];

AC-06(01)(a)[03]

access is authorized for [Assignment: individuals and roles] to [Assignment: security functions (deployed in firmware)];

AC-06(01)(b)

access is authorized for [Assignment: individuals and roles] to [Assignment: security-relevant information].

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: AC-17, AC-18, AC-19, AU-9, PE-2.

AC-6(2)Least Privilege | Non-privileged Access for Nonsecurity Functions

Implementation Level: Organization

Control: Require that users of system accounts (or roles) with access to [Assignment: security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

Discussion

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Assessment Objective
AC-06(02)

users of system accounts (or roles) with access to [Assignment: security functions or security-relevant information] are required to use non-privileged accounts or roles when accessing non-security functions.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of system-generated security functions or security-relevant information assigned to system accounts or roles

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: AC-17, AC-18, AC-19, PL-4.

AC-6(3)Least Privilege | Network Access to Privileged Commands

Implementation Level: Organization

Control: Authorize network access to [Assignment: privileged commands] only for [Assignment: compelling operational needs] and document the rationale for such access in the security plan for the system.

Discussion

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Assessment Objectives
AC-06(03)[01]

network access to [Assignment: privileged commands] is authorized only for [Assignment: compelling operational needs];

AC-06(03)[02]

the rationale for authorizing network access to privileged commands is documented in the security plan for the system.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

system configuration settings and associated documentation

system audit records

list of operational needs for authorizing network access to privileged commands

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: AC-17, AC-18, AC-19.

AC-6(4)Least Privilege | Separate Processing Domains

Implementation Level: Organization

Implementation Level: System

Control: Provide separate processing domains to enable finer-grained allocation of user privileges.

Discussion

Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.

Assessment Objective
AC-06(04)

separate processing domains are provided to enable finer-grain allocation of user privileges.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: AC-4, SC-2, SC-3, SC-30, SC-32, SC-39.

AC-6(5)Least Privilege | Privileged Accounts

Implementation Level: Organization

Control: Restrict privileged accounts on the system to [Assignment: personnel or roles].

Discussion

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.

Assessment Objective
AC-06(05)

privileged accounts on the system are restricted to [Assignment: personnel or roles].

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of system-generated privileged accounts

list of system administration personnel

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing least privilege functions

Related controls: IA-2, MA-3, MA-4.

AC-6(6)Least Privilege | Privileged Access by Non-organizational Users

Implementation Level: Organization

Control: Prohibit privileged access to the system by non-organizational users.

Discussion

An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization.

Assessment Objective
AC-06(06)

privileged access to the system by non-organizational users is prohibited.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of system-generated privileged accounts

list of non-organizational users

system configuration settings and associated documentation

audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms prohibiting privileged access to the system

Related controls: AC-18, AC-19, IA-2, IA-8.

AC-6(7)Least Privilege | Review of User Privileges

Implementation Level: Organization

Control:

(a)

Review [Assignment: frequency] the privileges assigned to [Assignment: roles and classes] to validate the need for such privileges; and

(b)

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

Discussion

The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

Assessment Objectives
AC-06(07)(a)

privileges assigned to [Assignment: roles and classes] are reviewed [Assignment: frequency] to validate the need for such privileges;

AC-06(07)(b)

privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of system-generated roles or classes of users and assigned privileges

system design documentation

system configuration settings and associated documentation

validation reviews of privileges assigned to roles or classes or users

records of privilege removals or reassignments for roles or classes of users

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Assessment Method: TEST

Mechanisms implementing review of user privileges

Related control: CA-7.

AC-6(8)Least Privilege | Privilege Levels for Code Execution

Implementation Level: System

Control: Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: software].

Discussion

In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.

Assessment Objective
AC-06(08)

[Assignment: software] is prevented from executing at higher privilege levels than users executing the software.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

list of software that should not execute at higher privilege levels than users executing software

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

system developers

Assessment Method: TEST

Mechanisms implementing least privilege functions for software execution

AC-6(9)Least Privilege | Log Use of Privileged Functions

Implementation Level: System

Control: Log the execution of privileged functions.

Discussion

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

Assessment Objective
AC-06(09)

the execution of privileged functions is logged.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

system design documentation

system configuration settings and associated documentation

list of privileged functions to be audited

list of audited events

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

system developers

Assessment Method: TEST

Mechanisms auditing the execution of least privilege functions

Related controls: AU-2, AU-3, AU-12.

AC-6(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

Implementation Level: System

Control: Prevent non-privileged users from executing privileged functions.

Discussion

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.

Assessment Objective
AC-06(10)

non-privileged users are prevented from executing privileged functions.

Assessment Method: EXAMINE

Access control policy

procedures addressing least privilege

system design documentation

system configuration settings and associated documentation

list of privileged functions and associated user account assignments

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing least privilege functions for non-privileged users

References
AC-7Unsuccessful Logon Attempts

Implementation Level: System

Texas DIR Baseline: LOW

Texas DIR Required By: 2023-07-20

Control:

a.

Enforce a limit of [Assignment: number] consecutive invalid logon attempts by a user during a [Assignment: time period] ; and

b.

Automatically [Selection: lock the account or node for [Assignment: time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: delay algorithm] ; notify system administrator; take other [Assignment: action] ] when the maximum number of unsuccessful attempts is exceeded.

Texas DIR Implementation:

a.

As technology permits, state agencies must designate at least one threshold activated by invalid logon attempts (i.e., item a from the control description, an agency-defined number of invalid logon attempts by a user account within an agency-defined time-period).

b.

As technology permits, state agencies must define, implement, and enforce at least one automatic action that occurs when an agency-defined threshold for invalid logon attempts has been reached (i.e., item b from the control description).

c.

In designing and implementing access controls for information systems, state agencies should apply a risk-based approach that considers some or all of the following criteria:

1.

Capabilities and features of the system;

2.

The level of risk presented by the system;

3.

Successful application and enforcement of other security controls, such as multifactor authentication, password entropy, and maturity of other authenticator management practices relevant to the information system;

4.

The ability to detect and mitigate the risk of other types of attacks focused on authentication (e.g., “account spraying” attacks in which threat actors attempt to access multiple accounts from the same IP address or set of IP addresses without causing many failed logon attempts against each individual account targeted by the threat actors);

5.

Whether the system is accessible from the Internet or other public or broadly accessible network(s);

6.

Impacts to the agency’s users, operations, and support resources if automatic account lockout controls are abused by threat actors to the determent of account or system availability; and

7.

The application of more rigorous controls commensurate to the value and potential for abuse of a type of account (e.g., applying additional controls, enhancements, or overlays to privileged accounts).

Discussion

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

Assessment Objectives
AC-07a.

a limit of [Assignment: number] consecutive invalid logon attempts by a user during [Assignment: time period] is enforced;

AC-07b.

automatically [Selection: lock the account or node for [Assignment: time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: delay algorithm] ; notify system administrator; take other [Assignment: action] ] when the maximum number of unsuccessful attempts is exceeded.

Assessment Method: EXAMINE

Access control policy

procedures addressing unsuccessful logon attempts

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

Organizational personnel with information security responsibilities

system developers

system/network administrators

Assessment Method: TEST

Mechanisms implementing access control policy for unsuccessful logon attempts

Related controls: AC-2, AC-9, AU-2, AU-6, IA-5.

Control enhancements
AC-7(1)Unsuccessful Logon Attempts | Automatic Account Lock

[Withdrawn: Incorporated into AC-7.]

AC-7(2)Unsuccessful Logon Attempts | Purge or Wipe Mobile Device

Implementation Level: System

Control: Purge or wipe information from [Assignment: mobile devices] based on [Assignment: purging or wiping requirements and techniques] after [Assignment: number] consecutive, unsuccessful device logon attempts.

Discussion

A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.

Assessment Objective
AC-07(02)

information is purged or wiped from [Assignment: mobile devices] based on [Assignment: purging or wiping requirements and techniques] after [Assignment: number] consecutive, unsuccessful device logon attempts.

Assessment Method: EXAMINE

Access control policy

procedures addressing unsuccessful logon attempts on mobile devices

system design documentation

system configuration settings and associated documentation

list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts

list of purging/wiping requirements or techniques for mobile devices

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access control policy for unsuccessful device logon attempts

Related controls: AC-19, MP-5, MP-6.

AC-7(3)Unsuccessful Logon Attempts | Biometric Attempt Limiting

Implementation Level: Organization

Control: Limit the number of unsuccessful biometric logon attempts to [Assignment: number].

Discussion

Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors.

Assessment Objective
AC-07(03)

unsuccessful biometric logon attempts are limited to [Assignment: number].

Assessment Method: EXAMINE

Access control policy

procedures addressing unsuccessful logon attempts on biometric devices

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access control policy for unsuccessful logon attempts

Related control: IA-3.

AC-7(4)Unsuccessful Logon Attempts | Use of Alternate Authentication Factor

Implementation Level: Organization

Implementation Level: System

Control:

(a)

Allow the use of [Assignment: authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and

(b)

Enforce a limit of [Assignment: number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: time period].

Discussion

The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.

Assessment Objectives
AC-07(04)(a)

[Assignment: authentication factors] that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;

AC-07(04)(b)

a limit of [Assignment: number] consecutive invalid logon attempts through the use of the alternative factors by the user during a [Assignment: time period] is enforced.

Assessment Method: EXAMINE

Access control policy

procedures addressing unsuccessful logon attempts for primary and alternate authentication factors

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

Assessment Method: TEST

Mechanisms implementing access control policy for unsuccessful logon attempts

Related control: IA-3.

References
AC-8System Use Notification

Implementation Level: Organization

Implementation Level: System

Texas DIR Baseline: LOW

Texas DIR Required By: 2023-01-20

Texas A&M System Required By: 2022-08-01

Control:

a.

Display [Assignment: system use notification] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

1.

Users are accessing a U.S. Government system;

2.

System usage may be monitored, recorded, and subject to audit;

3.

Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

4.

Use of the system indicates consent to monitoring and recording;

b.

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

c.

For publicly accessible systems:

1.

Display system use information [Assignment: conditions] , before granting further access to the publicly accessible system;

2.

Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

3.

Include a description of the authorized uses of the system.

Texas DIR Implementation:

[Withdrawn.]

Texas A&M System Implementation: Publish a privacy notice on websites owned by the organization which contains, at a minimum, the content contained on or a link to the Texas A&M University System online privacy standard at https://cyber-standards.tamus.edu/privacy-standard.

Discussion

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.

Assessment Objectives
AC-08a.

[Assignment: system use notification] is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

the system use notification states that users are accessing a U.S. Government system;

the system use notification states that system usage may be monitored, recorded, and subject to audit;

the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and

the system use notification states that use of the system indicates consent to monitoring and recording;

AC-08b.

the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;

AC-08c.01

for publicly accessible systems, system use information [Assignment: conditions] is displayed before granting further access to the publicly accessible system;

AC-08c.02

for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;

AC-08c.03

for publicly accessible systems, a description of the authorized uses of the system is included.

Assessment Method: EXAMINE

Access control policy

privacy and security policies, procedures addressing system use notification

documented approval of system use notification messages or banners

system audit records

user acknowledgements of notification message or banner

system design documentation

system configuration settings and associated documentation

system use notification messages

system security plan

privacy plan

privacy impact assessment

privacy assessment report

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

legal counsel

system developers

Assessment Method: TEST

Mechanisms implementing system use notification

Related controls: AC-14, PL-4, SI-4.

Control enhancements
References
AC-9Previous Logon Notification

Implementation Level: System

Control: Notify the user, upon successful logon to the system, of the date and time of the last logon.

Discussion

Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access.

Assessment Objective
AC-09

the user is notified, upon successful logon to the system, of the date and time of the last logon.

Assessment Method: EXAMINE

Access control policy

procedures addressing previous logon notification

system design documentation

system configuration settings and associated documentation

system notification messages

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for previous logon notification

Related controls: AC-7, PL-4.

Control enhancements
AC-9(1)Previous Logon Notification | Unsuccessful Logons

Implementation Level: System

Control: Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

Discussion

Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts.

Assessment Objective
AC-09(01)

the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

Assessment Method: EXAMINE

Access control policy

procedures addressing previous logon notification

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for previous logon notification

AC-9(2)Previous Logon Notification | Successful and Unsuccessful Logons

Implementation Level: System

Control: Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: time period].

Discussion

Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.

Assessment Objective
AC-09(02)

the user is notified, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: time period].

Assessment Method: EXAMINE

Access control policy

procedures addressing previous logon notification

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for previous logon notification

AC-9(3)Previous Logon Notification | Notification of Account Changes

Implementation Level: System

Control: Notify the user, upon successful logon, of changes to [Assignment: security-related characteristics or parameters] during [Assignment: time period].

Discussion

Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.

Assessment Objective
AC-09(03)

the user is notified, upon successful logon, of changes to [Assignment: security-related characteristics or parameters] during [Assignment: time period].

Assessment Method: EXAMINE

Access control policy

procedures addressing previous logon notification

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for previous logon notification

AC-9(4)Previous Logon Notification | Additional Logon Information

Implementation Level: System

Control: Notify the user, upon successful logon, of the following additional information: [Assignment: additional information].

Discussion

Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers.

Assessment Objective
AC-09(04)

the user is notified, upon successful logon, of [Assignment: additional information].

Assessment Method: EXAMINE

Access control policy

procedures addressing previous logon notification

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for previous logon notification

References
AC-10Concurrent Session Control

Implementation Level: System

Control: Limit the number of concurrent sessions for each [Assignment: account and/or account types] to [Assignment: number].

Discussion

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

Assessment Objective
AC-10

the number of concurrent sessions for each [Assignment: account and/or account types] is limited to [Assignment: number].

Assessment Method: EXAMINE

Access control policy

procedures addressing concurrent session control

system design documentation

system configuration settings and associated documentation

security plan

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for concurrent session control

Related control: SC-23.

Control enhancements
References
AC-11Device Lock

Implementation Level: System

Texas A&M System Required By: 2024-02-01

Texas A&M System New Requirement: Yes

Control:

a.

Prevent further access to the system by [Selection: initiating a device lock after [Assignment: time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended] ; and

b.

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Discussion

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

Assessment Objectives
AC-11a.

further access to the system is prevented by [Selection: initiating a device lock after [Assignment: time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended];

AC-11b.

device lock is retained until the user re-establishes access using established identification and authentication procedures.

Assessment Method: EXAMINE

Access control policy

procedures addressing session lock

procedures addressing identification and authentication

system design documentation

system configuration settings and associated documentation

security plan

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Mechanisms implementing access control policy for session lock

Related controls: AC-2, AC-7, IA-11, PL-4.

Control enhancement
AC-11(1)Device Lock | Pattern-hiding Displays

Implementation Level: System

Control: Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Discussion

The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.

Assessment Objective
AC-11(01)

information previously visible on the display is concealed, via device lock, with a publicly viewable image.

Assessment Method: EXAMINE

Access control policy

procedures addressing session lock

display screen with session lock activated

system design documentation

system configuration settings and associated documentation

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

System session lock mechanisms

References
AC-12Session Termination

Implementation Level: System

Control: Automatically terminate a user session after [Assignment: conditions or trigger events].

Discussion

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

Assessment Objective
AC-12

a user session is automatically terminated after [Assignment: conditions or trigger events].

Assessment Method: EXAMINE

Access control policy

procedures addressing session termination

system design documentation

system configuration settings and associated documentation

list of conditions or trigger events requiring session disconnect

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

Automated mechanisms implementing user session termination

Related controls: MA-4, SC-10, SC-23.

Control enhancements
AC-12(1)Session Termination | User-initiated Logouts

Implementation Level: Organization

Implementation Level: System

Control: Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: information resources].

Discussion

Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.

Assessment Objective
AC-12(01)

a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: information resources].

Assessment Method: EXAMINE

Access control policy

procedures addressing session termination

user logout messages

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

System session termination mechanisms

logout capabilities for user-initiated communications sessions

AC-12(2)Session Termination | Termination Message

Implementation Level: System

Control: Display an explicit logout message to users indicating the termination of authenticated communications sessions.

Discussion

Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions.

Assessment Objective
AC-12(02)

an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.

Assessment Method: EXAMINE

Access control policy

procedures addressing session termination

user logout messages

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

System session termination mechanisms

display of logout messages

AC-12(3)Session Termination | Timeout Warning Message

Implementation Level: System

Control: Display an explicit message to users indicating that the session will end in [Assignment: time].

Discussion

To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the AC-12 base control.

Assessment Objective
AC-12(03)

an explicit message to users is displayed indicating that the session will end in [Assignment: time].

Assessment Method: EXAMINE

Access control policy

procedures addressing session termination

time until end of session messages

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

system developers

Assessment Method: TEST

System session termination mechanisms

display of end of session time

References
AC-13Supervision and Review — Access Control

[Withdrawn: Incorporated into AC-2, AU-6.]

Control enhancements
AC-14Permitted Actions Without Identification or Authentication

Implementation Level: Organization

Texas DIR Baseline: LOW

Texas DIR Required By: 2023-01-20

Control:

a.

Identify [Assignment: user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

b.

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Discussion

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.

Assessment Objectives
AC-14a.

[Assignment: user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

AC-14b.[01]

user actions not requiring identification or authentication are documented in the security plan for the system;

AC-14b.[02]

a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

Assessment Method: EXAMINE

Access control policy

procedures addressing permitted actions without identification or authentication

system configuration settings and associated documentation

security plan

list of user actions that can be performed without identification or authentication

system audit records

system security plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security responsibilities

Related controls: AC-8, IA-2, PL-2.

Control enhancement
AC-14(1)Permitted Actions Without Identification or Authentication | Necessary Uses

[Withdrawn: Incorporated into AC-14.]

References
AC-15Automated Marking

[Withdrawn: Incorporated into MP-3.]

Control enhancements
AC-16Security and Privacy Attributes

Implementation Level: Organization

Control:

a.

Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;

b.

Ensure that the attribute associations are made and retained with the information;

c.

Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];

d.

Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: attribute values or ranges];

e.

Audit changes to attributes; and

f.

Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].

Discussion

Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.

Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.

Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).

Assessment Objectives
AC-16a.[01]

the means to associate [Assignment: types of security attributes] with [Assignment: security attribute values] for information in storage, in process, and/or in transmission are provided;

AC-16a.[02]

the means to associate [Assignment: types of privacy attributes] with [Assignment: privacy attribute values] for information in storage, in process, and/or in transmission are provided;

AC-16b.[01]

attribute associations are made;

AC-16b.[02]

attribute associations are retained with the information;

AC-16c.[01]

the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for [Assignment: systems]: [Assignment: security attributes];

AC-16c.[02]

the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for [Assignment: systems]: [Assignment: privacy attributes];

AC-16d.

the following permitted attribute values or ranges for each of the established attributes are determined: [Assignment: attribute values or ranges];

AC-16e.

changes to attributes are audited;

AC-16f.[01]

[Assignment: security attributes] are reviewed for applicability [Assignment: frequency];

AC-16f.[02]

[Assignment: privacy attributes] are reviewed for applicability [Assignment: frequency].

Assessment Method: EXAMINE

Access control policy

procedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission

Related controls: AC-3, AC-4, AC-6, AC-21, AC-25, AU-2, AU-10, MP-3, PE-22, PT-2, PT-3, PT-4, SC-11, SC-16, SI-12, SI-18.

Control enhancements
AC-16(1)Security and Privacy Attributes | Dynamic Attribute Association

Implementation Level: System

Control: Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].

Discussion

Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally.

Assessment Objectives
AC-16(01)[01]

security attributes are dynamically associated with [Assignment: subjects] in accordance with the following security policies as information is created and combined: [Assignment: security policies];

AC-16(01)[02]

security attributes are dynamically associated with [Assignment: objects] in accordance with the following security policies as information is created and combined: [Assignment: security policies];

AC-16(01)[03]

privacy attributes are dynamically associated with [Assignment: subjects] in accordance with the following privacy policies as information is created and combined: [Assignment: privacy policies];

AC-16(01)[04]

privacy attributes are dynamically associated with [Assignment: objects] in accordance with the following privacy policies as information is created and combined: [Assignment: privacy policies].

Assessment Method: EXAMINE

Access control policy

procedures addressing dynamic association of security and privacy attributes to information

system design documentation

system configuration settings and associated documentation

system audit records

system security plan

privacy plan

other relevant documents or records

Assessment Method: INTERVIEW

System/network administrators

organizational personnel with information security and privacy responsibilities

system developers

Assessment Method: TEST

Automated mechanisms implementing dynamic association of security and privacy attributes to information

AC-16(2)Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals

Implementation Level: System

Control: Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

Discussion

The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals.

Assessment Objectives
AC-16(02)[01]

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;

AC-16(02)[02]

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.

Assessment Method: EXAMINE

Access control policy

procedures addressing the change of security and privacy attribute values