Information Technology Security Plan Policies, Controls, and … · 2019-10-31 · The Identity Management and Access Control functions intends to ensure access to physical and logical

Information Technology Security Plan

Policies, Controls, and Procedures Protect: Identity Management and Access Control

PR.AC Location:

https://www.pdsimplified.com/ndcbf_pdframework/NIST_CSF_prc/documents/protect/NDCBF_ITSecPlan_PRAC2017.pdf



North Dallas Community Bible Fellowship IT Security Plan – Protect Identity Management and Access Control

PR.AC Page: 1

Information Security Policy and Procedures Protect: Identity Management and Access Control

PR.AC

Table of Contents

Protect: Identity Management and Access Control PR.AC Overview .. 3

Manage Identities and Credentials for Authorized Devices PR.AC-1 .. 5

Risk Management: ............................................................................. 10

Compliance Management:................................................................. 12

Resources Required ........................................................................... 16

Links to Supporting Policies, Documentation, and Resources ......... 16

Deliverables Status: ........................................................................... 16

Manage and Protect Physical Access to Assets PR.AC-2 ................... 17

Risk Management: ............................................................................. 19





Manage Remote Access PR.AC-3 ....................................................... 21

Risk Management: ............................................................................. 21






PR.AC Page: 2

Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4 ....... 23

Risk Management: ............................................................................. 25





Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 ........................................................................... 27

Risk Management: ............................................................................. 27





Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 ................................................................ 29

Risk Management: ............................................................................. 33






PR.AC Page: 3

Protect: Identity Management and Access Control PR.AC

Protect: Identity Management and Access Control PR.AC Overview

Disciplined systems and personnel identity and authentication management is perhaps the most crucial aspect of systems management to limit the ability of threat perpetrators. Threat actors seek access privileges to penetrate and travel through systems. The Identity Management and Access Control functions intends to ensure access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. Protect Identity Management and Access Control functions are:

• Manage Identities and Credentials for Authorized Devices PR.AC-1 – Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes

• Manage and Protect Physical Access to Assets PR.AC-2 – Physical access to assets is managed and protected

• Manage Remote Access PR.AC-3 – Remote access is managed • Manage Access Permissions and Authorizations, Incorporating

Principles of Least Privilege and Separation of Duties PR.AC-4 – Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

• Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 – Network integrity is protected, incorporating network segregation where appropriate


PR.AC Page: 4

• Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 – Identities are proofed and bound to credentials, and asserted in interactions when appropriate


PR.AC Page: 5

Manage Identities and Credentials for Authorized Devices PR.AC-1

Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes Primary Control Reference - NIST SP 800-53 Rev. 4 (HD added AC-1), AC-2, IA Family

• AC-1 ACCESS CONTROL POLICY AND PROCEDURES - Control: The organization: o Develops, documents, and disseminates to [Assignment:

organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope,

roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the access control policy and associated access controls; and

o b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined

frequency]; and 2. Access control procedures [Assignment: organization-

defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.


PR.AC Page: 6

o Related control: PM-9. o Control Enhancements: None. o References: NIST Special Publications 800-12, 800-100. o Priority and Baseline Allocation:

• AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information

system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group

and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-

know changes; i. Authorizes access to the information system based on:

1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or

associated missions/business functions;


PR.AC Page: 7

o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and

o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group

• IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment:

organization-defined personnel or roles]: 1. An identification and authentication policy that addresses

purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

o b. Reviews and updates the current: 1. Identification and authentication policy [Assignment:

organization-defined frequency]; and 2. Identification and authentication procedures [Assignment:

organization-defined frequency]. • IA-2 IDENTIFICATION AND AUTHENTICATION

(ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

• IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION - Control: The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or


PR.AC Page: 8

types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

• IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organization-

defined personnel or roles] to assign an individual, group, role, or device identifier;

o b. Selecting an identifier that identifies an individual, group, role, or device;

o c. Assigning the identifier to the intended individual, group, role, or device;

o d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and

o e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

• IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the

identity of the individual, group, role, or device receiving the authenticator;

o b. Establishing initial authenticator content for authenticators defined by the organization;

o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

o e. Changing default content of authenticators prior to information system installation;

o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;


PR.AC Page: 9

o g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];

o h. Protecting authenticator content from unauthorized disclosure and modification;

o i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

o j. Changing authenticators for group/role accounts when membership to those accounts changes.

• IA-6 AUTHENTICATOR FEEDBACK - Control: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

• IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION - Control: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

• IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

• IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION - Control: The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

• IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION - Control: The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or


PR.AC Page: 10

mechanisms] under specific [Assignment: organization-defined circumstances or situations].

• IA-11 RE-AUTHENTICATION - Control: The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

RISK MANAGEMENT: • eRisk Self-Assessment - 7) Access Control o 7.1) Is there a documented access control policy in place for all

mission-critical systems? (Best practice: Access to mission-critical systems must be

limited to the minimal number of employees or users actually requiring access. Additionally, access should be controlled using appropriate authentication mechanisms.)

Answer Work in progress o 7.2) Are documented standards and procedures in place for user

account registration, assignment of access rights, password management, and routine reviews by business/IT managers to ensure up-to-date status and accuracy? (Best practice: Documented procedures that address the

access rights of individual account owners must be enforced on a continuing basis to ensure that the organization retains effective control over its computing resources.)

Answer: Work in progress o 7.3) Please describe how access management procedures are

carried out within your organization. In particular, please describe your use of “exit check lists” and IT management notification procedures that are utilized when an employee leaves the company under both friendly and adverse circumstances.


PR.AC Page: 11

Answer example: Active Directory groups are maintained in most cases; Standard form-based submission to IT to authorize new/change/depart employee access.

o 7.4) Do you enforce a defined password composition and change standard that requires passwords to be at least 6-8 characters in length, using mixed-case alphanumeric and special characters, along with additional minimum requirements for non-reuse and change frequency? (Best practice: Poorly chosen (dictionary-based) passwords

are one of the leading causes of a security breach and are a major vulnerability. 'Password cracking' software is prevalent and is highly efficient and effective. Ideally, password authentication should be augmented by physical 'token' devices that require a user to type in a random number generated from a keychain-sized device that remains with the individual.)

Answer – Work in progress o 7.5) Please describe the current password composition and

change standards for all user accounts within your organization, and identify differences in these requirements that apply for “normal” versus “administrator” level user accounts. Answer Example: Strong Active Directory 8-character, 3-of-

4 from among upper/lower case, numeric, special characters. 90-day requirement. Admin passwords are subject to higher complexity and stored in a password vault solution.

o 7.6) Are narrowly tailored, role-based, and management-approved access rights assigned to systems administration personnel who require privileged access to systems or network components in order to carry out their assigned job tasks?


PR.AC Page: 12

(Best practice: Privileges should be granted to only those administrators requiring them. They should be reviewed periodically to ensure they are withdrawn when they are no longer necessary. Moreover, proper separation of duties helps avoid giving a single administrator too much hands-on control over mission-critical business tools.)

Answer – Work in progress o 7.7) Are access controls monitored through event logging with

manual reviews for audit compliance? (Best practice: Controls over network access should be a

work-in-process employing hardware, access applications, and activity audits.)

Answer: Work in progress COMPLIANCE MANAGEMENT:

• PCI Compliance Requirements o 7.1 Limit access to system components and cardholder data to

only those individuals whose job requires such access o 7.1.2 Restrict access to privileged user IDs to least privileges

necessary to perform job responsibilities o 7.1.3 Assign access based on individual personnel's job

classification and function • HIPAA AND TEXAS HOUSE BILL 300 Requirements o Information Access Management (§ 164.308(a)(4))27 - HIPAA

Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Implement Policies and Procedures for Authorizing Access


PR.AC Page: 13

Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism.

Decide how access will be granted to workforce members within the organization.

Select the basis for restricting access. Select an access control method (e.g., identity-based, role-

based, or other reasonable and appropriate means of access.)

Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own EPHI).

Implement Policies and Procedures for Access Establishment and Modification Implement policies and procedures that, based upon the

entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Establish standards for granting access. Provide formal authorization from the appropriate

authority before granting access to sensitive information. Evaluate Existing Security Measures Related to Access

Controls31 Evaluate the security features of access controls already in

place, or those of any planned for implementation, as appropriate.

Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails,


PR.AC Page: 14

identification and authentication of users, and physical access controls.

o Access Control (§ 164.312(a)(1)) - HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).76 Analyze Workloads and Operations To Identify the Access

Needs of All Users77 Identify an approach for access control. Consider all applications and systems containing EPHI

that should be available only to authorized users. Integrate these activities into the access granting and

management process.78 Identify Technical Access Control Capabilities Determine the access control capability of all information

systems with EPHI. Ensure that All System Users Have Been Assigned a Unique

Identifier Assign a unique name and/or number for identifying and

tracking user identity. Ensure that system activity can be traced to a specific user. Ensure that the necessary data is available in the system

logs to support audit and other related business functions.79

Develop Access Control Policy80 Establish a formal policy for access control that will guide

the development of procedures.81


PR.AC Page: 15

Specify requirements for access control that are both feasible and cost-effective for implementation.82

Implement Access Control Procedures Using Selected Hardware and Software Implement the policy and procedures using existing or

additional hardware/software solution(s). Review and Update User Access Enforce policy and procedures as a matter of ongoing

operations.84 Determine if any changes are needed for access control

mechanisms. Establish procedures for updating access when users

require the following:85 Initial access Increased access Access to different systems or applications than those

they currently have Establish an Emergency Access Procedure Establish (and implement as needed) procedures for

obtaining necessary electronic protected health information during an emergency.

Identify a method of supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems.

Automatic Logoff and Encryption and Decryption Consider whether the addressable implementation

specifications of this standard are reasonable and appropriate:


PR.AC Page: 16

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Implement a mechanism to encrypt and decrypt EPHI. Terminate Access if it is No Longer Required91 Ensure that access to EPHI is terminated if the access is no

longer authorized. RESOURCES REQUIRED

• Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES

• Document • Document • Document

DELIVERABLES STATUS:

Supplier Deliverable Consumer Status


PR.AC Page: 17

Manage and Protect Physical Access to Assets PR.AC-2

Physical access to assets is managed and protected Primary Control Reference - NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9

• PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment:

organization-defined personnel or roles]: 1. A physical and environmental protection policy that

addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

o b. Reviews and updates the current: 1. Physical and environmental protection policy

[Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures

[Assignment: organization-defined frequency]. • PHYSICAL ACCESS AUTHORIZATIONS - Control: The

organization: o a. Develops, approves, and maintains a list of individuals with

authorized access to the facility where the information system resides;

o b. Issues authorization credentials for facility access; o c. Reviews the access list detailing authorized facility access by

individuals [Assignment: organization-defined frequency]; and


PR.AC Page: 18

o d. Removes individuals from the facility access list when access is no longer required.

• PHYSICAL ACCESS CONTROL - Control: The organization: o a. Enforces physical access authorizations at [Assignment:

organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting

access to the facility; and 2. Controlling ingress/egress to the facility using [Selection

(one or more): [Assignment: organization-defined physical access control systems/devices]; guards];

o b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];

o c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;

o d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];

o e. Secures keys, combinations, and other physical access devices;

o f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and

o g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

• PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM - Control: The organization controls physical access to [Assignment: organization-defined information system distribution and


PR.AC Page: 19

transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].

• PE-5 ACCESS CONTROL FOR OUTPUT DEVICES - Control: The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

• PE-6 MONITORING PHYSICAL ACCESS - Control: The organization: o a. Monitors physical access to the facility where the information

system resides to detect and respond to physical security incidents;

o b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

o c. Coordinates results of reviews and investigations with the organizational incident response capability.

• PE-9 POWER EQUIPMENT AND CABLING - Control: The organization protects power equipment and power cabling for the information system from damage and destruction.

RISK MANAGEMENT: • eRisk Self-Assessment • Questions that apply

COMPLIANCE MANAGEMENT: • PCI Compliance Requirements • Requirements that apply • HIPAA AND TEXAS HOUSE BILL 300 Requirements • Requirements and questions that apply

RESOURCES REQUIRED


PR.AC Page: 20

• Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES





PR.AC Page: 21

Manage Remote Access PR.AC-3

Remote access is managed Primary Control Reference - NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20

• AC-17 REMOTE ACCESS - Control: The organization: o a. Establishes and documents usage restrictions,

configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

o b. Authorizes remote access to the information system prior to allowing such connections.

• AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements,

connection requirements, and implementation guidance for organization-controlled mobile devices; and

o b. Authorizes the connection of mobile devices to organizational information systems.

• AC-20 USE OF EXTERNAL INFORMATION SYSTEMS - Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: o a. Access the information system from external information

systems; and o b. Process, store, or transmit organization-controlled

information using external information systems. RISK MANAGEMENT:

• eRisk Self-Assessment


PR.AC Page: 22

• Questions that apply COMPLIANCE MANAGEMENT:

• PCI Compliance Requirements • Requirements that apply • HIPAA AND TEXAS HOUSE BILL 300 Requirements • Requirements and questions that apply

RESOURCES REQUIRED • Support agreements and other resources required to execute

LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES





PR.AC Page: 23

Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4

Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties Primary Control Reference - NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16








know changes;


PR.AC Page: 24

o i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or

associated missions/business functions; o j. Reviews accounts for compliance with account management

requirements [Assignment: organization-defined frequency]; and

o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

• AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

• AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of

individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support

separation of duties • AC-6 LEAST PRIVILEGE - Control: The organization employs

the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

• AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organization-

defined types of security attributes] having [Assignment:


PR.AC Page: 25

organization-defined security attribute values] with information in storage, in process, and/or in transmission;

o b. Ensures that the security attribute associations are made and retained with the information;

o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and

o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.







PR.AC Page: 26




PR.AC Page: 27

Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5

Network integrity is protected, incorporating network segregation where appropriate Primary Control Reference - NIST SP 800-53 Rev. 4 AC-4, SC-7

• AC-4 INFORMATION FLOW ENFORCEMENT - Control: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].

• SC-7 BOUNDARY PROTECTION - Control: The information system: o a. Monitors and controls communications at the external

boundary of the system and at key internal boundaries within the system;

o b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

o c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.


COMPLIANCE MANAGEMENT: • PCI Compliance Requirements • Requirements that apply


PR.AC Page: 28

• HIPAA AND TEXAS HOUSE BILL 300 Requirements • Requirements and questions that apply







PR.AC Page: 29

Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6

Identities are proofed and bound to credentials, and asserted in interactions when appropriate Primary Control Reference - NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16, AC-19, AC-24, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3








know changes; o i. Authorizes access to the information system based on:


PR.AC Page: 30

1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or

associated missions/business functions; o j. Reviews accounts for compliance with account management

requirements [Assignment: organization-defined frequency]; and

o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

• AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

• AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of

individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support

separation of duties • AC-6 LEAST PRIVILEGE - Control: The organization employs

the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

• AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organization-

defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;


PR.AC Page: 31

o b. Ensures that the security attribute associations are made and retained with the information;

o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and

o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.

• AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements,

connection requirements, and implementation guidance for organization-controlled mobile devices; and

o b. Authorizes the connection of mobile devices to organizational information systems.

• IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

• IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organization-

defined personnel or roles] to assign an individual, group, role, or device identifier;

o b. Selecting an identifier that identifies an individual, group, role, or device;

o c. Assigning the identifier to the intended individual, group, role, or device;

o d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and

o e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].


PR.AC Page: 32

• IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the

identity of the individual, group, role, or device receiving the authenticator;

o b. Establishing initial authenticator content for authenticators defined by the organization;

o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

o e. Changing default content of authenticators prior to information system installation;

o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for

o authenticators; o g. Changing/refreshing authenticators [Assignment:

organization-defined time period by authenticator type]; o h. Protecting authenticator content from unauthorized disclosure

and modification; o i. Requiring individuals to take, and having devices implement,

specific security safeguards to protect authenticators; and o j. Changing authenticators for group/role accounts when

membership to those accounts changes. • IA-8 IDENTIFICATION AND AUTHENTICATION (NON-

ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

• PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization:


PR.AC Page: 33

o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that

addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

o b. Reviews and updates the current: 1. Physical and environmental protection policy

[Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures

[Assignment: organization-defined frequency]. • PS-3 PERSONNEL SCREENING - Control: The organization: o a. Screens individuals prior to authorizing access to the

information system; and o b. Rescreens individuals according to [Assignment:

organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].




PR.AC Page: 34




