myctrl.tools
Compare

AC-3(3)Mandatory Access Control

>Control Description

Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy: a. Is uniformly enforced across the covered subjects and objects within the system; b. Specifies that a subject that has been granted access to information is constrained from doing any of the following; 1. Passing the information to unauthorized subjects or objects; 2. Granting its privileges to other subjects; 3. Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; 4. Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and 5. Changing the rules governing access control; and c. Specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by any defined subset (or all) of the above constraints.

>Programmatic Queries

Beta

Related Services

AWS Organizations SCPs
IAM Permission Boundaries
AWS RAM

CLI Commands

List service control policies (SCPs)
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
Get SCP content for mandatory controls
aws organizations describe-policy --policy-id POLICY_ID --query 'Policy.Content'
Create permission boundary for mandatory access control
aws iam create-policy --policy-name mandatory-boundary --policy-document file://mandatory-boundary.json
Attach permission boundary to user
aws iam put-user-permissions-boundary --user-name USERNAME --permissions-boundary ARN
Open AWS ConsoleDocumentation

>Supplemental Guidance

Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects.

Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented.

This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25. The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-06).

Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-03(04).

A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.

>Related Controls

SC-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-3(3) (Mandatory Access Control)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-3(3)?
  • How frequently is the AC-3(3) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-3(3)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-3(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-3(3)?
  • How is AC-3(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-3(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-3(3)?
  • What audit logs, records, reports, or monitoring data validate AC-3(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-3(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-3(3) compliance?

Ask AI

Configure your API key to use AI features.