AC-03 Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Baselines
- L
- M
- H
- P
Guidance
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family.
References 8
- PRIVACT Privacy Act (P.L. 93-579), December 1974.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
- SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
- SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
- SP 800-162 Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019.
- SP 800-178 Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
- IR 7874 Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874.
Control Enhancements 15
- AC-03(01) Restricted Access to Privileged Functions
- AC-03(02) Dual Authorization L M H P
- AC-03(03) Mandatory Access Control L M H P
- AC-03(04) Discretionary Access Control L M H P
- AC-03(05) Security-relevant Information L M H P
- AC-03(06) Protection of User and System Information
- AC-03(07) Role-based Access Control L M H P
- AC-03(08) Revocation of Access Authorizations L M H P
- AC-03(09) Controlled Release L M H P
- AC-03(10) Audited Override of Access Control Mechanisms L M H P
- AC-03(11) Restrict Access to Specific Information Types L M H P
- AC-03(12) Assert and Enforce Application Access L M H P
- AC-03(13) Attribute-based Access Control L M H P
- AC-03(14) Individual Access L M H P
- AC-03(15) Discretionary and Mandatory Access Control L M H P
Related controls 44
- AC-02 Account Management L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-05 Separation of Duties L M H P
- AC-06 Least Privilege L M H P
- AC-16 Security and Privacy Attributes L M H P
- AC-17 Remote Access L M H P
- AC-18 Wireless Access L M H P
- AC-19 Access Control for Mobile Devices L M H P
- AC-20 Use of External Systems L M H P
- AC-21 Information Sharing L M H P
- AC-22 Publicly Accessible Content L M H P
- AC-24 Access Control Decisions L M H P
- AC-25 Reference Monitor L M H P
- AT-02 Literacy Training and Awareness L M H P
- AT-03 Role-based Training L M H P
- AU-09 Protection of Audit Information L M H P
- CA-09 Internal System Connections L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-11 User-installed Software L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-05 Authenticator Management L M H P
- IA-06 Authentication Feedback L M H P
- IA-07 Cryptographic Module Authentication L M H P
- IA-11 Re-authentication L M H P
- IA-13 Identity Providers and Authorization Servers L M H P
- MA-03 Maintenance Tools L M H P
- MA-04 Nonlocal Maintenance L M H P
- MA-05 Maintenance Personnel L M H P
- MP-04 Media Storage L M H P
- PM-02 Information Security Program Leadership Role L M H P
- PS-03 Personnel Screening L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SC-02 Separation of System and User Functionality L M H P
- SC-03 Security Function Isolation L M H P
- SC-04 Information in Shared System Resources L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SC-28 Protection of Information at Rest L M H P
- SC-31 Covert Channel Analysis L M H P
- SC-34 Non-modifiable Executable Programs L M H P
- SI-04 System Monitoring L M H P
- SI-08 Spam Protection L M H P