Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}: {{ insert: param, ac-01_odp.03 }} access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the access control policy and the associated access controls; Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and Review and update the current access control: Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}.

Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: {{ insert: param, ac-16.1_prm_2 }}.

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

Maintain the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}.

Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals).

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}.

Require personnel to associate and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16.6_prm_3 }}.

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information.

Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}.

Employ automated mechanisms to monitor and control remote access methods.

Implement {{ insert: param, ac-17.10_odp.01 }} to authenticate {{ insert: param, ac-17.10_odp.02 }}.

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Route remote accesses through authorized and managed network access control points.

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and Document the rationale for remote access in the security plan for the system.

Protect information about remote access mechanisms from unauthorized use and disclosure.

Provide the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }}.

Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption.

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: Connection of unclassified mobile devices to classified systems is prohibited; Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is found, the incident handling policy is followed. Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}.

Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.

Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require {{ insert: param, ac-02_odp.01 }} for group and role membership; Specify: Authorized users of the system; Group and role membership; and Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account; Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts; Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }}; Monitor the use of accounts; Notify account managers and {{ insert: param, ac-02_odp.05 }} within: {{ insert: param, ac-02_odp.06 }} when accounts are no longer required; {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual; Authorize access to the system based on: A valid access authorization; Intended system usage; and {{ insert: param, ac-02_odp.09 }}; Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }}; Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and Align account management processes with personnel termination and transfer processes.

Support the management of system accounts using {{ insert: param, ac-02.01_odp }}.

Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}.

Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}.

Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.

Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}.

Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for {{ insert: param, ac-02.03_odp.02 }}.

Automatically audit account creation, modification, enabling, disabling, and removal actions.

Require that users log out when {{ insert: param, ac-02.05_odp }}.

Implement {{ insert: param, ac-02.06_odp }}.

Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }}; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when privileged role or attribute assignments are no longer appropriate.

Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically.

Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}.

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using {{ insert: param, ac-20.03_odp }}.

Prohibit the use of {{ insert: param, ac-20.04_odp }} in external systems.

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}.

Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered.

{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.

Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.