AC-02 Account Management
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require ac-02_odp.01 for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and ac-02_odp.02 for each account;
e. Require approvals by ac-02_odp.03 for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with ac-02_odp.04;
g. Monitor the use of accounts;
h. Notify account managers and ac-02_odp.05 within:
1. ac-02_odp.06 when accounts are no longer required;
2. ac-02_odp.07 when users are terminated or transferred; and
3. ac-02_odp.08 when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. ac-02_odp.09;
j. Review accounts for compliance with account management requirements ac-02_odp.10;
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
| Parameter ID | Definition |
|---|---|
| ac-02_odp.01 | prerequisites and criteria |
| ac-02_odp.02 | attributes (as required) |
| ac-02_odp.03 | personnel or roles |
| ac-02_odp.04 | policy, procedures, prerequisites, and criteria |
| ac-02_odp.05 | personnel or roles |
| ac-02_odp.06 | time period |
| ac-02_odp.07 | time period |
| ac-02_odp.08 | time period |
| ac-02_odp.09 | attributes (as required) |
| ac-02_odp.10 | frequency |
Baselines
- L
- M
- H
- P
Guidance
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.
Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.
Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
References 3
- SP 800-162 Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019.
- SP 800-178 Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
- SP 800-192 Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192.
Control Enhancements 13
- AC-02(01) Automated System Account Management L M H P
- AC-02(02) Automated Temporary and Emergency Account Management L M H P
- AC-02(03) Disable Accounts L M H P
- AC-02(04) Automated Audit Actions L M H P
- AC-02(05) Inactivity Logout L M H P
- AC-02(06) Dynamic Privilege Management L M H P
- AC-02(07) Privileged User Accounts L M H P
- AC-02(08) Dynamic Account Management L M H P
- AC-02(09) Restrictions on Use of Shared and Group Accounts L M H P
- AC-02(10) Shared and Group Account Credential Change
- AC-02(11) Usage Conditions L M H P
- AC-02(12) Account Monitoring for Atypical Usage L M H P
- AC-02(13) Disable Accounts for High-risk Individuals L M H P
Related controls 28
- AC-03 Access Enforcement L M H P
- AC-05 Separation of Duties L M H P
- AC-06 Least Privilege L M H P
- AC-17 Remote Access L M H P
- AC-18 Wireless Access L M H P
- AC-20 Use of External Systems L M H P
- AC-24 Access Control Decisions L M H P
- AU-02 Event Logging L M H P
- AU-12 Audit Record Generation L M H P
- CM-05 Access Restrictions for Change L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-04 Identifier Management L M H P
- IA-05 Authenticator Management L M H P
- IA-08 Identification and Authentication (Non-organizational Users) L M H P
- MA-03 Maintenance Tools L M H P
- MA-05 Maintenance Personnel L M H P
- PE-02 Physical Access Authorizations L M H P
- PL-04 Rules of Behavior L M H P
- PS-02 Position Risk Designation L M H P
- PS-04 Personnel Termination L M H P
- PS-05 Personnel Transfer L M H P
- PS-07 External Personnel Security L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- SC-07 Boundary Protection L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SC-37 Out-of-band Channels L M H P