myctrl.tools
Compare

AC-2(6)Dynamic Privilege Management

>Control Description

Implement organization-defined dynamic privilege management capabilities.

>Supplemental Guidance

In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges.

Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.

>Related Controls

AC-16

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-2(6) (Dynamic Privilege Management)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-2(6)?
  • How frequently is the AC-2(6) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-2(6)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-2(6) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-2(6)?
  • How is AC-2(6) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-2(6) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-2(6)?
  • What audit logs, records, reports, or monitoring data validate AC-2(6) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-2(6) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-2(6) compliance?

Ask AI

Configure your API key to use AI features.