Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.

Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}.

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }}; Provide an enforcement mechanism to prevent unauthorized access; and Approve access changes after initial installation of the application.

Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}.

Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}.

Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.

Enforce dual authorization for {{ insert: param, ac-03.02_odp }}.

Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and Changing the rules governing access control; and Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints.

Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the system, or the system’s components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control.

Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states.

Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}.

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}.

Release information outside of the system only if: The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.