Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/AC/Low

Template:Doc:NIST SP 800-53r3 Appendix F/AC-1

Determine if: (i) the organization develops and formally documents access control policy; (ii) the organization access control policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities; (iv) the organization develops and formally documents access control procedures; (v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and (vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access control responsibilities].

Determine if: (i) the organization defines the frequency of access control policy reviews/updates; (ii) the organization reviews/updates access control policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of access control procedure reviews/updates; and (iv) the organization reviews/updates access control procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2

Determine if: (i) the organization manages information system accounts, including; identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); establishing conditions for group membership; identifying authorized users of the information system and specifying access privileges; requiring appropriate approvals for requests to establish accounts; establishing, activating, modifying, disabling, and removing accounts; specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; deactivating: i) temporary accounts that are no longer required; and ii) accounts of terminated or transferred users; and granting access to the system based on: a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions; and (ii) the organization defines the frequency of information system account reviews; and (iii) the organization reviews information system accounts in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with account management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3

Determine if the information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-7

Determine if: (i) the organization defines the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid attempts occur; (ii) the information system enforces the organization-defined limit of consecutive invalid login attempts by a user during the organization-defined time period; (iii) the organization defines action to be taken by the system when the maximum number of unsuccessful login attempts is exceeded as: lock out the account/node for a specified time period; lock out the account/note until released by an administrator; or delay the next login prompt according to organization-defined delay algorithm; (iv) the information system either automatically locks the account/node for the organization-defined time period, locks the account/node until released by an administrator, or delays next login prompt for the organization-defined delay period when the maximum number of unsuccessful login attempts is exceeded; and (v) the information system performs the organization-defined actions when the maximum number of unsuccessful login attempts is exceeded regardless of whether the login occurs via a local or network connection.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-8

Determine if: (i) the organization approves the information system use notification message or banner to be displayed by the information system before granting access to the system; (ii) the information system displays the approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: users are accessing a U.S. Government information system; system usage may be monitored, recorded, and subject to audit; unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording; and (iii) the information system retains the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; information system audit records for user acceptance of notification message or banner; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].

Determine if: (i) the information system (for publicly accessible systems) displays the system use information when appropriate, before granting further access; (ii) the information system (for publicly accessible systems) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) the information system (for publicly accessible systems) includes in the notice given to public users of the information system, a description of the authorized uses of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-14

Determine if: (i) the organization identifies specific user actions that can be performed on the information system without identification or authentication; and (ii) the organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17

Determine if: (i) the organization documents allowed methods of remote access to the information system; (ii) the organization establishes usage restrictions and implementation guidance for each allowed remote access method; (iii) the organization monitors for unauthorized remote access to the information system; (iv) the organization authorizes remote access to the information system prior to connection; and (v) the organization enforces requirements for remote connections to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with remote access authorization, monitoring, and control responsibilities].

Test: [SELECT FROM: Remote access methods for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18

Determine if: (i) the organization establishes usage restrictions and implementation guidance for wireless access; (ii) the organization monitors for unauthorized wireless access to the information system; (iii) the organization authorizes wireless access to the information system prior to connection; and (iv) the organization enforces requirements for wireless connections to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); activities related to wireless monitoring, authorization, and enforcement; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for authorizing, monitoring or controlling the use of wireless technologies in the information system].

Test: [SELECT FROM: Wireless access usage and restrictions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19

Determine if: (i) the organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; (ii) the organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems; (iii) the organization monitors for unauthorized connections of mobile devices to organizational information systems; (iv) the organization enforces requirements for the connection of mobile devices to organizational information systems; (v) the organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; (vi) the organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; (vii) the organization defines the inspection and preventative measures to be applied to mobile devices returning from locations that the organization deems to be of significant risk; and (viii) the organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].

Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-20

Determine if: (i) the organization identifies individuals authorized to: access the information system from the external information systems; and process, store, and/or transmit organization-controlled information using the external information systems; and (ii) the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: access the information system from the external information systems; and process, store, and/or transmit organization-controlled information using the external information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum security categorization for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-22

Determine if: (i) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible; (ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information; (v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and (vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public Web sites; system audit logs; security awareness training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for managing publicly accessible information posted on organizational information systems].