|
AC-01
|
Policy and Procedures |
|
|
|
|
|
AC-02
|
Account Management |
|
|
|
|
|
AC-02(01)
|
Automated System Account Management |
|
|
|
|
|
AC-02(02)
|
Automated Temporary and Emergency Account Management |
|
|
|
|
|
AC-02(03)
|
Disable Accounts |
|
|
|
|
|
AC-02(04)
|
Automated Audit Actions |
|
|
|
|
|
AC-02(05)
|
Inactivity Logout |
|
|
|
|
|
AC-02(06)
|
Dynamic Privilege Management |
|
|
|
|
|
AC-02(07)
|
Privileged User Accounts |
|
|
|
|
|
AC-02(08)
|
Dynamic Account Management |
|
|
|
|
|
AC-02(09)
|
Restrictions on Use of Shared and Group Accounts |
|
|
|
|
|
AC-02(10)
|
Shared and Group Account Credential Change |
Incorporated into
AC-2_SMT.K.
|
|
AC-02(11)
|
Usage Conditions |
|
|
|
|
|
AC-02(12)
|
Account Monitoring for Atypical Usage |
|
|
|
|
|
AC-02(13)
|
Disable Accounts for High-risk Individuals |
|
|
|
|
|
AC-03
|
Access Enforcement |
|
|
|
|
|
AC-03(01)
|
Restricted Access to Privileged Functions |
Incorporated into
AC-6.
|
|
AC-03(02)
|
Dual Authorization |
|
|
|
|
|
AC-03(03)
|
Mandatory Access Control |
|
|
|
|
|
AC-03(04)
|
Discretionary Access Control |
|
|
|
|
|
AC-03(05)
|
Security-relevant Information |
|
|
|
|
|
AC-03(06)
|
Protection of User and System Information |
Incorporated into
MP-4 AND SC-28.
|
|
AC-03(07)
|
Role-based Access Control |
|
|
|
|
|
AC-03(08)
|
Revocation of Access Authorizations |
|
|
|
|
|
AC-03(09)
|
Controlled Release |
|
|
|
|
|
AC-03(10)
|
Audited Override of Access Control Mechanisms |
|
|
|
|
|
AC-03(11)
|
Restrict Access to Specific Information Types |
|
|
|
|
|
AC-03(12)
|
Assert and Enforce Application Access |
|
|
|
|
|
AC-03(13)
|
Attribute-based Access Control |
|
|
|
|
|
AC-03(14)
|
Individual Access |
|
|
|
|
|
AC-03(15)
|
Discretionary and Mandatory Access Control |
|
|
|
|
|
AC-04
|
Information Flow Enforcement |
|
|
|
|
|
AC-04(01)
|
Object Security and Privacy Attributes |
|
|
|
|
|
AC-04(02)
|
Processing Domains |
|
|
|
|
|
AC-04(03)
|
Dynamic Information Flow Control |
|
|
|
|
|
AC-04(04)
|
Flow Control of Encrypted Information |
|
|
|
|
|
AC-04(05)
|
Embedded Data Types |
|
|
|
|
|
AC-04(06)
|
Metadata |
|
|
|
|
|
AC-04(07)
|
One-way Flow Mechanisms |
|
|
|
|
|
AC-04(08)
|
Security and Privacy Policy Filters |
|
|
|
|
|
AC-04(09)
|
Human Reviews |
|
|
|
|
|
AC-04(10)
|
Enable and Disable Security or Privacy Policy Filters |
|
|
|
|
|
AC-04(11)
|
Configuration of Security or Privacy Policy Filters |
|
|
|
|
|
AC-04(12)
|
Data Type Identifiers |
|
|
|
|
|
AC-04(13)
|
Decomposition into Policy-relevant Subcomponents |
|
|
|
|
|
AC-04(14)
|
Security or Privacy Policy Filter Constraints |
|
|
|
|
|
AC-04(15)
|
Detection of Unsanctioned Information |
|
|
|
|
|
AC-04(16)
|
Information Transfers on Interconnected Systems |
Incorporated into
AC-4.
|
|
AC-04(17)
|
Domain Authentication |
|
|
|
|
|
AC-04(18)
|
Security Attribute Binding |
Incorporated into
AC-16.
|
|
AC-04(19)
|
Validation of Metadata |
|
|
|
|
|
AC-04(20)
|
Approved Solutions |
|
|
|
|
|
AC-04(21)
|
Physical or Logical Separation of Information Flows |
|
|
|
|
|
AC-04(22)
|
Access Only |
|
|
|
|
|
AC-04(23)
|
Modify Non-releasable Information |
|
|
|
|
|
AC-04(24)
|
Internal Normalized Format |
|
|
|
|
|
AC-04(25)
|
Data Sanitization |
|
|
|
|
|
AC-04(26)
|
Audit Filtering Actions |
|
|
|
|
|
AC-04(27)
|
Redundant/Independent Filtering Mechanisms |
|
|
|
|
|
AC-04(28)
|
Linear Filter Pipelines |
|
|
|
|
|
AC-04(29)
|
Filter Orchestration Engines |
|
|
|
|
|
AC-04(30)
|
Filter Mechanisms Using Multiple Processes |
|
|
|
|
|
AC-04(31)
|
Failed Content Transfer Prevention |
|
|
|
|
|
AC-04(32)
|
Process Requirements for Information Transfer |
|
|
|
|
|
AC-05
|
Separation of Duties |
|
|
|
|
|
AC-06
|
Least Privilege |
|
|
|
|
|
AC-06(01)
|
Authorize Access to Security Functions |
|
|
|
|
|
AC-06(02)
|
Non-privileged Access for Nonsecurity Functions |
|
|
|
|
|
AC-06(03)
|
Network Access to Privileged Commands |
|
|
|
|
|
AC-06(04)
|
Separate Processing Domains |
|
|
|
|
|
AC-06(05)
|
Privileged Accounts |
|
|
|
|
|
AC-06(06)
|
Privileged Access by Non-organizational Users |
|
|
|
|
|
AC-06(07)
|
Review of User Privileges |
|
|
|
|
|
AC-06(08)
|
Privilege Levels for Code Execution |
|
|
|
|
|
AC-06(09)
|
Log Use of Privileged Functions |
|
|
|
|
|
AC-06(10)
|
Prohibit Non-privileged Users from Executing Privileged Functions |
|
|
|
|
|
AC-07
|
Unsuccessful Logon Attempts |
|
|
|
|
|
AC-07(01)
|
Automatic Account Lock |
Incorporated into
AC-7.
|
|
AC-07(02)
|
Purge or Wipe Mobile Device |
|
|
|
|
|
AC-07(03)
|
Biometric Attempt Limiting |
|
|
|
|
|
AC-07(04)
|
Use of Alternate Authentication Factor |
|
|
|
|
|
AC-08
|
System Use Notification |
|
|
|
|
|
AC-09
|
Previous Logon Notification |
|
|
|
|
|
AC-09(01)
|
Unsuccessful Logons |
|
|
|
|
|
AC-09(02)
|
Successful and Unsuccessful Logons |
|
|
|
|
|
AC-09(03)
|
Notification of Account Changes |
|
|
|
|
|
AC-09(04)
|
Additional Logon Information |
|
|
|
|
|
AC-10
|
Concurrent Session Control |
|
|
|
|
|
AC-11
|
Device Lock |
|
|
|
|
|
AC-11(01)
|
Pattern-hiding Displays |
|
|
|
|
|
AC-12
|
Session Termination |
|
|
|
|
|
AC-12(01)
|
User-initiated Logouts |
|
|
|
|
|
AC-12(02)
|
Termination Message |
|
|
|
|
|
AC-12(03)
|
Timeout Warning Message |
|
|
|
|
|
AC-13
|
Supervision and Review — Access Control |
Incorporated into
AC-2 AND AU-6.
|
|
AC-14
|
Permitted Actions Without Identification or Authentication |
|
|
|
|
|
AC-14(01)
|
Necessary Uses |
Incorporated into
AC-14.
|
|
AC-15
|
Automated Marking |
Incorporated into
MP-3.
|
|
AC-16
|
Security and Privacy Attributes |
|
|
|
|
|
AC-16(01)
|
Dynamic Attribute Association |
|
|
|
|
|
AC-16(02)
|
Attribute Value Changes by Authorized Individuals |
|
|
|
|
|
AC-16(03)
|
Maintenance of Attribute Associations by System |
|
|
|
|
|
AC-16(04)
|
Association of Attributes by Authorized Individuals |
|
|
|
|
|
AC-16(05)
|
Attribute Displays on Objects to Be Output |
|
|
|
|
|
AC-16(06)
|
Maintenance of Attribute Association |
|
|
|
|
|
AC-16(07)
|
Consistent Attribute Interpretation |
|
|
|
|
|
AC-16(08)
|
Association Techniques and Technologies |
|
|
|
|
|
AC-16(09)
|
Attribute Reassignment — Regrading Mechanisms |
|
|
|
|
|
AC-16(10)
|
Attribute Configuration by Authorized Individuals |
|
|
|
|
|
AC-17
|
Remote Access |
|
|
|
|
|
AC-17(01)
|
Monitoring and Control |
|
|
|
|
|
AC-17(02)
|
Protection of Confidentiality and Integrity Using Encryption |
|
|
|
|
|
AC-17(03)
|
Managed Access Control Points |
|
|
|
|
|
AC-17(04)
|
Privileged Commands and Access |
|
|
|
|
|
AC-17(05)
|
Monitoring for Unauthorized Connections |
Incorporated into
SI-4.
|
|
AC-17(06)
|
Protection of Mechanism Information |
|
|
|
|
|
AC-17(07)
|
Additional Protection for Security Function Access |
Incorporated into
AC-3.10.
|
|
AC-17(08)
|
Disable Nonsecure Network Protocols |
Incorporated into
CM-7.
|
|
AC-17(09)
|
Disconnect or Disable Access |
|
|
|
|
|
AC-17(10)
|
Authenticate Remote Commands |
|
|
|
|
|
AC-18
|
Wireless Access |
|
|
|
|
|
AC-18(01)
|
Authentication and Encryption |
|
|
|
|
|
AC-18(02)
|
Monitoring Unauthorized Connections |
Incorporated into
SI-4.
|
|
AC-18(03)
|
Disable Wireless Networking |
|
|
|
|
|
AC-18(04)
|
Restrict Configurations by Users |
|
|
|
|
|
AC-18(05)
|
Antennas and Transmission Power Levels |
|
|
|
|
|
AC-19
|
Access Control for Mobile Devices |
|
|
|
|
|
AC-19(01)
|
Use of Writable and Portable Storage Devices |
Incorporated into
MP-7.
|
|
AC-19(02)
|
Use of Personally Owned Portable Storage Devices |
Incorporated into
MP-7.
|
|
AC-19(03)
|
Use of Portable Storage Devices with No Identifiable Owner |
Incorporated into
MP-7.
|
|
AC-19(04)
|
Restrictions for Classified Information |
|
|
|
|
|
AC-19(05)
|
Full Device or Container-based Encryption |
|
|
|
|
|
AC-20
|
Use of External Systems |
|
|
|
|
|
AC-20(01)
|
Limits on Authorized Use |
|
|
|
|
|
AC-20(02)
|
Portable Storage Devices — Restricted Use |
|
|
|
|
|
AC-20(03)
|
Non-organizationally Owned Systems — Restricted Use |
|
|
|
|
|
AC-20(04)
|
Network Accessible Storage Devices — Prohibited Use |
|
|
|
|
|
AC-20(05)
|
Portable Storage Devices — Prohibited Use |
|
|
|
|
|
AC-21
|
Information Sharing |
|
|
|
|
|
AC-21(01)
|
Automated Decision Support |
|
|
|
|
|
AC-21(02)
|
Information Search and Retrieval |
|
|
|
|
|
AC-22
|
Publicly Accessible Content |
|
|
|
|
|
AC-23
|
Data Mining Protection |
|
|
|
|
|
AC-24
|
Access Control Decisions |
|
|
|
|
|
AC-24(01)
|
Transmit Access Authorization Information |
|
|
|
|
|
AC-24(02)
|
No User or Process Identity |
|
|
|
|
|
AC-25
|
Reference Monitor |
|
|
|
|