Access Control
NIST SP 800-53 Rev 5 Access Control controls.
Policy and Procedures
Develop, document, and disseminate to [parameter]:
Account Management
Define and document the types of accounts allowed and specifically prohibited for use within the system;
Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Information Flow Enforcement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [parameter].
Separation of Duties
Identify and document [parameter] ; and
Least Privilege
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Unsuccessful Logon Attempts
Enforce a limit of [parameter] consecutive invalid logon attempts by a user during a [parameter] ; and
System Use Notification
Display [parameter] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
Previous Logon Notification
Notify the user, upon successful logon to the system, of the date and time of the last logon.
Concurrent Session Control
Limit the number of concurrent sessions for each [parameter] to [parameter].
Device Lock
Prevent further access to the system by [parameter] ; and
Session Termination
Automatically terminate a user session after [parameter].
Supervision and Review — Access Control
Supervision and Review — Access Control
Permitted Actions Without Identification or Authentication
Identify [parameter] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
Automated Marking
Automated Marking
Security and Privacy Attributes
Provide the means to associate [parameter] with [parameter] for information in storage, in process, and/or in transmission;
Remote Access
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
Wireless Access
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
Access Control for Mobile Devices
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
Use of External Systems
[parameter] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
Information Sharing
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [parameter] ; and
Publicly Accessible Content
Designate individuals authorized to make information publicly accessible;
Data Mining Protection
Employ [parameter] for [parameter] to detect and protect against unauthorized data mining.
Access Control Decisions
[parameter] to ensure [parameter] are applied to each access request prior to access enforcement.
Reference Monitor
Implement a reference monitor for [parameter] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.