Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user.
family AC
framework nist-800-53
Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
family AC
framework nist-800-53
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
family AC
framework nist-800-53
family AC
framework nist-800-53
Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.
family AC
framework nist-800-53
Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}.
family AC
framework nist-800-53
Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }}; Provide an enforcement mechanism to prevent unauthorized access; and Approve access changes after initial installation of the application.
family AC
framework nist-800-53
Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}.
family AC
framework nist-800-53
Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}.
family AC
framework nist-800-53
Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.
family AC
framework nist-800-53
Enforce dual authorization for {{ insert: param, ac-03.02_odp }}.
family AC
framework nist-800-53
Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and Changing the rules governing access control; and Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints.
family AC
framework nist-800-53
Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the system, or the system’s components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control.
family AC
framework nist-800-53
Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states.
family AC
framework nist-800-53
family AC
framework nist-800-53
Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}.
family AC
framework nist-800-53
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}.
family AC
framework nist-800-53
Release information outside of the system only if: The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.
family AC
framework nist-800-53
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.
family AC
framework nist-800-53
Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.
family AC
framework nist-800-53
Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}.
family AC
framework nist-800-53
Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies.
family AC
framework nist-800-53
When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions.
family AC
framework nist-800-53
When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.
family AC
framework nist-800-53
When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content.
family AC
framework nist-800-53
When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}.
family AC
framework nist-800-53
family AC
framework nist-800-53
Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer.
family AC
framework nist-800-53
family AC
framework nist-800-53
When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata.
family AC
framework nist-800-53
Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.
family AC
framework nist-800-53
Employ {{ insert: param, ac-04.20_odp.01 }} to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.
family AC
framework nist-800-53
Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.
family AC
framework nist-800-53
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
family AC
framework nist-800-53
When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}.
family AC
framework nist-800-53
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
family AC
framework nist-800-53
When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.
family AC
framework nist-800-53
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
family AC
framework nist-800-53
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
family AC
framework nist-800-53
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
family AC
framework nist-800-53
When transferring information between different security domains, employ content filter orchestration engines to ensure that: Content filtering mechanisms successfully complete execution without errors; and Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}.
family AC
framework nist-800-53
Enforce {{ insert: param, ac-04.03_odp }}.
family AC
framework nist-800-53
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
family AC
framework nist-800-53
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
family AC
framework nist-800-53
When transferring information between different security domains, the process that transfers information between filter pipelines: Does not filter message content; Validates filtering metadata; Ensures the content associated with the filtering metadata has successfully completed filtering; and Transfers the content to the destination filter pipeline.
family AC
framework nist-800-53
Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.
family AC
framework nist-800-53
Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types.
family AC
framework nist-800-53
Enforce information flow control based on {{ insert: param, ac-04.06_odp }}.
family AC
framework nist-800-53
Enforce one-way information flows through hardware-based flow control mechanisms.
family AC
framework nist-800-53
Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and {{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}.
family AC
framework nist-800-53
Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}.
family AC
framework nist-800-53
Identify and document {{ insert: param, ac-05_odp }} ; and Define system access authorizations to support separation of duties.
family AC
framework nist-800-53
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
family AC
framework nist-800-53
Authorize access for {{ insert: param, ac-06.01_odp.01 }} to: {{ insert: param, ac-6.1_prm_2 }} ; and {{ insert: param, ac-06.01_odp.05 }}.
family AC
framework nist-800-53
Prevent non-privileged users from executing privileged functions.
family AC
framework nist-800-53
Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions.
family AC
framework nist-800-53
Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system.
family AC
framework nist-800-53
Provide separate processing domains to enable finer-grained allocation of user privileges.
family AC
framework nist-800-53
Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}.
family AC
framework nist-800-53
Prohibit privileged access to the system by non-organizational users.
family AC
framework nist-800-53
Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
family AC
framework nist-800-53
Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}.
family AC
framework nist-800-53
Log the execution of privileged functions.
family AC
framework nist-800-53
Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.
family AC
framework nist-800-53
family AC
framework nist-800-53
Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.
family AC
framework nist-800-53
Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}.
family AC
framework nist-800-53
Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}.
family AC
framework nist-800-53
Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: Users are accessing a U.S. Government system; System usage may be monitored, recorded, and subject to audit; Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and Use of the system indicates consent to monitoring and recording; Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and For publicly accessible systems: Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system; Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Include a description of the authorized uses of the system.
family AC
framework nist-800-53
Notify the user, upon successful logon to the system, of the date and time of the last logon.
family AC
framework nist-800-53
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
family AC
framework nist-800-53
Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.
family AC
framework nist-800-53
Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.
family AC
framework nist-800-53
Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-09.04_odp }}.
family AC
framework nist-800-53
Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}: {{ insert: param, at-01_odp.03 }} awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and Review and update the current awareness and training: Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}.
family AT
framework nist-800-53
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and When required by system changes or following {{ insert: param, at-2_prm_2 }}; Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }}; Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
family AT
framework nist-800-53
Provide practical exercises in literacy training that simulate events and incidents.
family AT
framework nist-800-53
Provide literacy training on recognizing and reporting potential indicators of insider threat.
family AT
framework nist-800-53
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
family AT
framework nist-800-53
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}.
family AT
framework nist-800-53