Access Control (AC)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] access control policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
• c. Review and update the current access control:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
• b. Assign account managers;
• c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
• d. Specify:
  • 1. Authorized users of the system;
  • 2. Group and role membership; and
  • 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
• e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
• f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
• g. Monitor the use of accounts;
• h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
  • 1. [Assignment: organization-defined time period] when accounts are no longer required;
  • 2. [Assignment: organization-defined time period] when users are terminated or transferred; and
  • 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
• i. Authorize access to the system based on:
  • 1. A valid access authorization;
  • 2. Intended system usage; and
  • 3. [Assignment: organization-defined attributes (as required)];
• j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
• k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
• l. Align account management processes with personnel termination and transfer processes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Support the management of system accounts using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Automatically [Selection: one of: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Disable accounts within [Assignment: organization-defined time period] when the accounts:

• (a) Have expired;
• (b) Are no longer associated with a user or individual;
• (c) Are in violation of organizational policy; or
• (d) Have been inactive for [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Automatically audit account creation, modification, enabling, disabling, and removal actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement [Assignment: organization-defined dynamic privilege management capabilities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Establish and administer privileged user accounts in accordance with [Selection: one of: a role-based access scheme; an attribute-based access scheme];
• (b) Monitor privileged role or attribute assignments;
• (c) Monitor changes to roles or attributes; and
• (d) Revoke access when privileged role or attribute assignments are no longer appropriate.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and
• (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other actions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:

• (a) Is uniformly enforced across the covered subjects and objects within the system;
• (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
  • (1) Passing the information to unauthorized subjects or objects;
  • (2) Granting its privileges to other subjects;
  • (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
  • (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
  • (5) Changing the rules governing access control; and
• (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:

• (a) Pass the information to any other subjects or objects;
• (b) Grant its privileges to other subjects;
• (c) Change security attributes on subjects, objects, the system, or the system’s components;
• (d) Choose the security attributes to be associated with newly created or revised objects; or
• (e) Change the rules governing access control.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Release information outside of the system only if:

• (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
• (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict access to data repositories containing [Assignment: organization-defined information types].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];
• (b) Provide an enforcement mechanism to prevent unauthorized access; and
• (c) Approve access changes after initial installation of the application.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
• (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce [Assignment: organization-defined information flow control policies].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection: one or more of: decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce information flow control based on [Assignment: organization-defined metadata].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce one-way information flows through hardware-based flow control mechanisms.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
• (b) [Selection: one or more of: block; strip; modify; quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Uniquely identify and authenticate source and destination points by [Selection: one or more of: organization, system, application, service, individual] for information transfer.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, sanitize data to minimize [Selection: one or more of: delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, employ content filter orchestration engines to ensure that:

• (a) Content filtering mechanisms successfully complete execution without errors; and
• (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

When transferring information between different security domains, the process that transfers information between filter pipelines:

• (a) Does not filter message content;
• (b) Validates filtering metadata;
• (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and
• (d) Transfers the content to the destination filter pipeline.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Identify and document [Assignment: organization-defined duties of individuals]; and
• b. Define system access authorizations to support separation of duties.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Authorize access for [Assignment: organization-defined individuals and roles] to:

• (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
• (b) [Assignment: organization-defined security-relevant information].

External Link for Additional Information: myctrl.tools

Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

External Link for Additional Information: myctrl.tools

Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide separate processing domains to enable finer-grained allocation of user privileges.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prohibit privileged access to the system by non-organizational users.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles and classes] to validate the need for such privileges; and
• (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].

External Link for Additional Information: myctrl.tools

Log the execution of privileged functions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent non-privileged users from executing privileged functions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
• b. Automatically [Selection: one or more of: lock the account or node for; lock the account or node until released by an administrator; delay next logon prompt per; notify system administrator; take other] when the maximum number of unsuccessful attempts is exceeded.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
• (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Display [Assignment: organization-defined system use notification] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
  • 1. Users are accessing a U.S. Government system;
  • 2. System usage may be monitored, recorded, and subject to audit;
  • 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
  • 4. Use of the system indicates consent to monitoring and recording;
• b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
• c. For publicly accessible systems:
  • 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;
  • 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
  • 3. Include a description of the authorized uses of the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Notify the user, upon successful logon to the system, of the date and time of the last logon.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Notify the user, upon successful logon, of the number of [Selection: one of: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters] during [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account types] to [Assignment: organization-defined number].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Prevent further access to the system by [Selection: one or more of: initiating a device lock after of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
• b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
• b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
• b. Ensure that the attribute associations are made and retained with the information;
• c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
• d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges];
• e. Audit changes to attributes; and
• f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined instructions] using [Assignment: organization-defined naming conventions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
• b. Authorize each type of remote access to the system prior to allowing such connections.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ automated mechanisms to monitor and control remote access methods.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Route remote accesses through authorized and managed network access control points.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and
• (b) Document the rationale for remote access in the security plan for the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Protect information about remote access mechanisms from unauthorized use and disclosure.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
• b. Authorize each type of wireless access to the system prior to allowing such connections.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Protect wireless access to the system using authentication of [Selection: one or more of: users; devices] and encryption.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
• b. Authorize the connection of mobile devices to organizational systems.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
• (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
  • (1) Connection of unclassified mobile devices to classified systems is prohibited;
  • (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
  • (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
  • (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
• (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Selection: one of: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. [Selection: one or more of: establish; identify], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
  • 1. Access the system from external systems; and
  • 2. Process, store, or transmit organization-controlled information using external systems; or
• b. Prohibit the use of [Assignment: organization-defined prohibited types of external systems].

External Link for Additional Information: myctrl.tools

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

• (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
• (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prohibit the use of [Assignment: organization-defined network-accessible storage devices] in external systems.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information-sharing circumstances]; and
• b. Employ [Assignment: organization-defined automated mechanisms] to assist users in making information sharing and collaboration decisions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement information search and retrieval services that enforce [Assignment: organization-defined information-sharing restrictions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Designate individuals authorized to make information publicly accessible;
• b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
• c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
• d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

[Selection: one or more of: establish procedures; implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools