03.01.02: Access Enforcement

Control Familly: Access Control

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

SP 800-46 [14]
SP 800-57-1 [15]
SP 800-57-2 [16]
SP 80057-3 [17]
SP 800-77 [18]
SP 800-113 [19]
SP 800-114 [20]
SP 800-121 [21]
SP 800162 [22]
SP 800-178 [23]
SP 800-192 [24]
IR 7874 [25]
IR 7966 [26]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.01.02

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

AC-03

Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies

Discussion:

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in 03.15.01.

Assessment Methods and Objectives

Examine [SELECT FROM: access control policy and procedures; procedures for access enforcement; system design documentation; system configuration settings; list of approved authorizations (i.e., user privileges); system audit records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with access enforcement responsibilities; system administrators; personnel with information security responsibilities; system developers]

Test [SELECT FROM: mechanisms for implementing the access control policy]