Device Class 1: Access Enforcement

Control ID: AC-3 Access Enforcement Family: Access Control Source: NIST 800-53r4
Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance:
Access control policies (e.g.,identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

Related Controls: AC-2, AC-4, AC-5, AC-6, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3, AC-16
Control Enhancements: N/A
References: N/A
Mechanisms:

  • The device shall support a role-based access mechanism in which:
    • There is an access control policy that defines protected resources and functions to which access control is applied; users and processes must demonstrate that they are authorized to access those resources according to the policy.
    • The device shall be able to grant at least one of ongoing privileged access or periodic privileged access as defined in Notes on Access Control.
    • The device may support an installer that can grant ongoing privileged access to installed processes.
    • The access control policy may only be edited by privileged users.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
AC-3/1 Support role-based access M
AC-3/1.1 Support ongoing privileged access AC-3/1:O1
AC-3/1.2 Support periodic privileged access AC-3/1:O1
AC-3/1.2.1 Allow an installer to allow periodic privileged access O
AC-3/1.3 Enforce that only privileged users may edit the access policy M