ARTIFACTS
AC: ACCESS CONTROL
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Access Control (AC); and documents that are widely used in the assessment of controls and control enhancements in the Access Control (AC) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR ACCESS CONTROL |
| Access Control POLICY & PROCEDURES (AC) |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Access Control related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Access control policy | AC-9 (4) |
| Access control POLICY & PROCEDURES | AC-1 |
| Discretionary access control policies | AC-3 (4) |
| Incident handling policy | AC-19 (4) |
| Information flow control policies | AC-4 AC-4 (1) AC-4 (2) AC-4 (3) AC-4 (4) AC-4 (5) AC-4 (6) AC-4 (7) AC-4 (8) AC-4 (9) AC-4 (10) AC-4 (11) AC-4 (12) AC-4 (13) AC-4 (14) AC-4 (15) AC-4 (17) AC-4 (18) AC-4 (19) AC-4 (20) AC-4 (21) AC-4 (22) AC-16 (7) |
| Information flow enforcement policy | AC-4 (18) AC-4 (19) AC-4 (20) AC-4 (21) AC-4 (22) |
| Information flow information policies | AC-4 (10) |
| Mandatory access control policies | AC-3 (3) |
| Privacy and security policies | AC-8 |
| Role-based access control policies | AC-3 (7) |
| Procedures addressing access control decisions | AC-24 |
| Procedures addressing access control for mobile device usage (including restrictions) | AC-19 |
| Procedures addressing access control for mobile devices | AC-19 (4) AC-19 (5) |
| Procedures addressing access enforcement | AC-16 (7) AC-24 (2) AC-25 AC-3 AC-3 (10) AC-3 (3) AC-3 (4) AC-3 (5) AC-3 (7) AC-3 (8) AC-3 (9) |
| Procedures addressing access enforcement and dual authorization | AC-3 (2) |
| Procedures addressing account management | AC-2 AC-2 (1) AC-2 (10) AC-2 (11) AC-2 (12) AC-2 (13) AC-2 (2) AC-2 (3) AC-2 (4) AC-2 (5) AC-2 (6) AC-2 (7) AC-2 (8) AC-2 (9) |
| Procedures addressing association of security attributes to information | AC-16 (8) |
| Procedures addressing association of security attributes with subjects and objects | AC-16 (6) |
| Procedures addressing concurrent session control | AC-10 |
| Procedures addressing configuration of security attributes by authorized individuals | AC-16 (10) |
| Procedures addressing consistent interpretation of security attributes transmitted between distributed information system components | AC-16 (7) |
| Procedures addressing data mining techniques | AC-23 |
| Procedures addressing disconnecting or disabling remote access to the information system | AC-17 (9) |
| Procedures addressing display of security attributes in human-readable form | AC-16 (5) |
| Procedures addressing divisions of responsibility and separation of duties | AC-5 |
| Procedures addressing dynamic association of security attributes to information | AC-16 (1) |
| Procedures addressing IDENTIFICATION & AUTHENTICATION | AC-11 |
| Procedures addressing information flow enforcement | AC-4 (1) AC-4 (2) AC-4 (3) AC-4 (4) AC-4 (5) AC-4 (6) AC-4 (7) AC-4 (8) AC-4 (9) AC-4 (10) AC-4 (11) AC-4 (12) AC-4 (13) AC-4 (14) AC-4 (15) AC-4 (17) AC-4 (18) AC-4 (19) AC-4 (20) AC-4 (21) AC-4 (22) AC-16 (7) |
| Procedures addressing least privilege | AC-6 AC-6 (1) AC-6 (10) AC-6 (2) AC-6 (3) AC-6 (4) AC-6 (5) AC-6 (6) AC-6 (7) AC-6 (8) AC-6 (9) |
| Procedures addressing permitted actions without identification or authentication | AC-14 |
| Procedures addressing previous logon notification | AC-9 AC-9 (1) AC-9 (2) AC-9 (3) AC-9 (4) |
| Procedures addressing protection of data storage objects against data mining | AC-23 |
| Procedures addressing publicly accessible content | AC-22 |
| Procedures addressing reassignment of security attributes to information | AC-16 (9) |
| Procedures addressing remote access implementation and usage (including restrictions) | AC-17 |
| Procedures addressing remote access to the information system | AC-17 (1) AC-17 (2) AC-17 (3) AC-17 (4) AC-17 (6) |
| Procedures addressing session lock | AC-11 AC-11 (1) |
| Procedures addressing session termination | AC-12 |
| Procedures addressing session termination | AC-12 (1) |
| Procedures addressing source and destination domain IDENTIFICATION & AUTHENTICATION | AC-4 (17) |
| Procedures addressing system use notification | AC-8 |
| Procedures addressing the association of security attributes to information | AC-16 (3) AC-16 (4) |
| Procedures addressing the association of security attributes to information in storage, in process, and in transmission | AC-16 |
| Procedures addressing the change of security attribute values | AC-16 (2) |
| Procedures addressing the use of external information systems | AC-20 AC-20 (1) AC-20 (2) AC-20 (3) |
| Procedures addressing unsuccessful login attempts on mobile devices | AC-7 (2) |
| Procedures addressing unsuccessful logon attempts | AC-7 |
| Procedures addressing use of network accessible storage devices in external information systems | AC-20 (4) |
| Procedures addressing user-based collaboration and information sharing (including restrictions) | AC-21 AC-21 (1) AC-21 (2) |
| Procedures addressing wireless access implementation and usage (including restrictions) | AC-18 |
| Procedures addressing wireless implementation and usage (including restrictions) | AC-18 (1) AC-18 (3) AC-18 (3) AC-18 (4) AC-18 (5) |
Evidence, Records & Artifacts
Here you'll find a catalog of Access Control related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Access authorization records | AC-2 |
| Account access termination records | AC-2 (10) |
| Account management compliance reviews | AC-2 |
| Account management documents | AC-20 (1) AC-20 (2) AC-20 (3) |
| Approved configuration baselines | AC-4 (20) |
| Audit tracking and monitoring reports | AC-2 (7) AC-2 (12) |
| Authorizations for mobile device connections to organizational information systems | AC-19 |
| Conditions for employing audited override of automated access control mechanisms | AC-3 (10) |
| Configuration management plan | AC-17 AC-18 AC-19 |
| Cryptographic mechanisms and associated configuration documentation | AC-17 (2) |
| Display screen with session lock activated | AC-11 (1) |
| Documented approval of information system use notification messages or banners | AC-8 |
| Encryption mechanism s and associated configuration documentation | AC-19 (5) |
| Evidentiary documentation for random inspections and reviews of mobile devices | AC-19 (4) |
| External information systems terms and conditions | AC-20 |
| Information search and retrieval records | AC-21 (2) |
| Information system access authorizations | AC-5 |
| Information system audit logs | AC-23 |
| Information system baseline configuration | AC-4 |
| Information system configuration settings and associated documentation | AC-10 |
| Information system connection or processing agreements | AC-20 (1) AC-20 (2) AC-20 (3) AC-20 (4) |
| Information system hardware mechanisms and associated configurations | AC-4 (7) |
| Information system monitoring records | AC-17 (1) |
| Information system monitoring records | AC-2 AC-2 (7) AC-2 (12) |
| Information system monitoring records | AC-2 (7) |
| Information system notification messages | AC-9 |
| Information system security architecture and associated documentation | AC-4 (2) AC-4 (3) |
| Information system use notification messages | AC-8 |
| Maximum security categorization for information processed, stored, or transmitted on external information systems | AC-20 |
| Notifications or records of recently transferred, separated, or terminated employees | AC-2 |
| Notifications/alerts of account creation, modification, enabling, disabling, and removal actions | AC-2 (4) |
| Records of actions taken when privileged role assignments are no longer appropriate | AC-2 (7) |
| Records of human reviews regarding information flows | AC-4 (9) |
| Records of privilege removals or reassignments for roles or classes of users | AC-6 (7) |
| Records of publicly accessible information reviews | AC-22 |
| Records of response to nonpublic information on public websites | AC-22 |
| Remote access authorizations | AC-17 |
| Role-based access control policies | AC-3 (7) |
| Rules governing revocation of access authorizations, information system audit records | AC-3 (8) |
| Security awareness training records | AC-22 |
| Security violation reports | AC-2 (5) |
| Special dissemination, handling, or distribution instructions | AC-16 (5) |
| System audit logs | AC-22 |
| Training materials and/or records | AC-22 |
| Types of human-readable, standard naming conventions | AC-16 (5) |
| Types of metadata used to enforce information flow control decisions | AC-4 (6) |
| User acknowledgements of notification message or banner | AC-8 |
| User logout messages | AC-12 (1) |
| Validation reviews of privileges assigned to roles or classes or users | AC-6 (7) |
| Wireless access authorizations | AC-18 |
Access Control Related Lists
These are the Access Control (AC) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| Information system-generated list of emergency accounts removed and/or disabled | AC-2 (2) AC-2 (3) |
| Information system-generated list of privileged user accounts and associated role | AC-2 (7) |
| Information system-generated list of temporary accounts removed and/or disabled | AC-2 (2) AC-2 (3) |
| List of actions requiring dual authorization | AC-3 (2) |
| List of active system accounts along with the name of the individual associated with each account | AC-2 |
| List of all managed network access control points | AC-17 (3) |
| List of approved authorizations (user privileges) | AC-3 AC-3 (2) |
| List of assigned access authorizations (user privileges) | AC-6 |
| List of audited events | AC-6 (9) |
| List of binding techniques to bind security attributes to information | AC-4 (18) |
| List of conditions for group and role membership | AC-2 |
| List of conditions or trigger events requiring session disconnect | AC-12 |
| List of conditions requiring human reviews for information flows | AC-4 (9) |
| List of data content policy filters | AC-4 (14) |
| List of data type identifiers | AC-4 (12) |
| List of divisions of responsibility and separation of duties | AC-5 |
| List of individuals authorized to change security attributes | AC-16 (2) |
| List of information flow authorizations | AC-4 |
| List of information sharing circumstances requiring user discretion | AC-21 |
| List of limitations to be enforced on embedding data types within other data types | AC-4 (5) |
| List of mechanisms and/or techniques used to logically or physically separate information flows | AC-4 (21) |
| List of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts | AC-7 (2) |
| List of network accessible storage devices prohibited from use in external information systems | AC-20 (4) |
| List of non-organizational users | AC-6 (6) |
| List of operational needs for authorizing network access to privileged commands | AC-6 (3) |
| List of privileged commands requiring dual authorization | AC-3 (2) |
| List of privileged functions and associated user account assignments | AC-6 (10) |
| List of privileged functions to be audited | AC-6 (9) |
| List of purging/wiping requirements or techniques for mobile devices | AC-7 (2) |
| List of recently disabled information system accounts along with the name of the individual associated with each account | AC-2 |
| List of required separation of information flows by information types | AC-4 (21) |
| List of roles, users, and associated privileges required to control information system access | AC-3 (7) |
| List of security attributes and associated information, source, and destination objects enforcing information flow control policies | AC-4 (1) |
| List of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized | AC-6 (1) |
| List of security policy filtering criteria applied to metadata and data payloads | AC-4 (19) |
| List of security policy filters | AC-4 (11) AC-4 (14) |
| List of security policy filters enabled/disabled by privileged administrators | AC-4 (10) |
| List of security policy filters regulating flow control decisions | AC-4 (8) |
| List of security safeguards provided by receiving information system or system components | AC-3 (9) |
| List of security safeguards validating appropriateness of information designated for release | AC-3 (9) |
| List of software that should not execute at higher privilege levels than users executing software | AC-6 (8) |
| List of solutions in approved configurations | AC-4 (20) |
| List of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies | AC-3 (4) |
| List of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies | AC-3 (3) |
| List of system administration personnel | AC-6 (5) |
| List of system-generated privileged accounts | AC-6 (5) AC-6 (6) |
| List of system-generated roles or classes of users and assigned privileges | AC-6 (7) |
| List of system-generated security functions or security-relevant information assigned to information system accounts or roles | AC-6 (2) |
| List of types of applications accessible from external information systems | AC-20 |
| List of unsanctioned information types and associated information | AC-4 (15) |
| List of user actions that can be performed without identification or authentication | AC-14 |
| List of user activities posing significant organizational risk | AC-2 (13) |
| List of users authorized to associate security attributes to information | AC-16 (4) |
| List of users authorized to make information sharing/collaboration decisions | AC-21 |
| List of users authorized to post publicly accessible content on organizational information systems | AC-22 |
| System-generated list of access restrictions regarding information to be shared | AC-21 (1) AC-21 (2) |
| System-generated list of disabled accounts | AC-2 (13) |
| System-generated list of dynamic privilege management capabilities | AC-2 (6) |
| System-generated list of information system accounts | AC-2 (8) |
| System-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions | AC-2 (11) |
| System-generated list of shared/group accounts and associated role | AC-2 (9) |
| System-generated list of sharing partners and access authorizations | AC-21 (1) |
| System-generated list of users authorized to make information sharing/collaboration decisions | AC-21 (1) |