Under active development — Content is continuously updated and improved

Home / Frameworks / NIST SP 800-53 / AC — Access Control

AC — Access Control

147 controls in the Access Control family

AC-1Policy And Procedures

AC-2Account Management

AC-2(1)Automated System Account Management

AC-2(2)Automated Temporary And Emergency Account Management

AC-2(3)Disable Accounts

AC-2(4)Automated Audit Actions

AC-2(5)Inactivity Logout

AC-2(6)Dynamic Privilege Management

AC-2(7)Privileged User Accounts

AC-2(8)Dynamic Account Management

AC-2(9)Restrictions On Use Of Shared And Group Accounts

AC-2(10)Shared And Group Account Credential Change

AC-2(11)Usage Conditions

AC-2(12)Account Monitoring For Atypical Usage

AC-2(13)Disable Accounts For High-Risk Individuals

AC-3Access Enforcement

AC-3(1)Restricted Access To Privileged Functions

AC-3(2)Dual Authorization

AC-3(3)Mandatory Access Control

AC-3(4)Discretionary Access Control

AC-3(5)Security-Relevant Information

AC-3(6)Protection Of User And System Information

AC-3(7)Role-Based Access Control

AC-3(8)Revocation Of Access Authorizations

AC-3(9)Controlled Release

AC-3(10)Audited Override Of Access Control Mechanisms

AC-3(11)Restrict Access To Specific Information Types

AC-3(12)Assert And Enforce Application Access

AC-3(13)Attribute-Based Access Control

AC-3(14)Individual Access

AC-3(15)Discretionary And Mandatory Access Control

AC-4Information Flow Enforcement

AC-4(1)Object Security And Privacy Attributes

AC-4(2)Processing Domains

AC-4(3)Dynamic Information Flow Control

AC-4(4)Flow Control Of Encrypted Information

AC-4(5)Embedded Data Types

AC-4(6)Metadata

AC-4(7)One-Way Flow Mechanisms

AC-4(8)Security And Privacy Policy Filters

AC-4(9)Human Reviews

AC-4(10)Enable And Disable Security Or Privacy Policy Filters

AC-4(11)Configuration Of Security Or Privacy Policy Filters

AC-4(12)Data Type Identifiers

AC-4(13)Decomposition Into Policy-Relevant Subcomponents

AC-4(14)Security Or Privacy Policy Filter Constraints

AC-4(15)Detection Of Unsanctioned Information

AC-4(16)Information Transfers On Interconnected Systems

AC-4(17)Domain Authentication

AC-4(18)Security Attribute Binding

AC-4(19)Validation Of Metadata

AC-4(20)Approved Solutions

AC-4(21)Physical Or Logical Separation Of Information Flows

AC-4(22)Access Only

AC-4(23)Modify Non-Releasable Information

AC-4(24)Internal Normalized Format

AC-4(25)Data Sanitization

AC-4(26)Audit Filtering Actions

AC-4(27)Redundant/Independent Filtering Mechanisms

AC-4(28)Linear Filter Pipelines

AC-4(29)Filter Orchestration Engines

AC-4(30)Filter Mechanisms Using Multiple Processes

AC-4(31)Failed Content Transfer Prevention

AC-4(32)Process Requirements For Information Transfer

AC-5Separation Of Duties

AC-6Least Privilege

AC-6(1)Authorize Access To Security Functions

AC-6(2)Non-Privileged Access For Nonsecurity Functions

AC-6(3)Network Access To Privileged Commands

AC-6(4)Separate Processing Domains

AC-6(5)Privileged Accounts

AC-6(6)Privileged Access By Non-Organizational Users

AC-6(7)Review Of User Privileges

AC-6(8)Privilege Levels For Code Execution

AC-6(9)Log Use Of Privileged Functions

AC-6(10)Prohibit Non-Privileged Users From Executing Privileged Functions

AC-7Unsuccessful Logon Attempts

AC-7(1)Automatic Account Lock

AC-7(2)Purge Or Wipe Mobile Device

AC-7(3)Biometric Attempt Limiting

AC-7(4)Use Of Alternate Authentication Factor

AC-8System Use Notification

AC-9Previous Logon Notification

AC-9(1)Unsuccessful Logons

AC-9(2)Successful And Unsuccessful Logons

AC-9(3)Notification Of Account Changes

AC-9(4)Additional Logon Information

AC-10Concurrent Session Control

AC-11Device Lock

AC-11(1)Pattern-Hiding Displays

AC-12Session Termination

AC-12(1)User-Initiated Logouts

AC-12(2)Termination Message

AC-12(3)Timeout Warning Message

AC-13Supervision And Review -- Access Control

AC-14Permitted Actions Without Identification Or Authentication

AC-14(1)Necessary Uses

AC-15Automated Marking

AC-16Security And Privacy Attributes

AC-16(1)Dynamic Attribute Association

AC-16(2)Attribute Value Changes By Authorized Individuals

AC-16(3)Maintenance Of Attribute Associations By System

AC-16(4)Association Of Attributes By Authorized Individuals

AC-16(5)Attribute Displays On Objects To Be Output

AC-16(6)Maintenance Of Attribute Association

AC-16(7)Consistent Attribute Interpretation

AC-16(8)Association Techniques And Technologies

AC-16(9)Attribute Reassignment -- Regrading Mechanisms

AC-16(10)Attribute Configuration By Authorized Individuals

AC-17Remote Access

AC-17(1)Monitoring And Control

AC-17(2)Protection Of Confidentiality And Integrity Using Encryption

AC-17(3)Managed Access Control Points

AC-17(4)Privileged Commands And Access

AC-17(5)Monitoring For Unauthorized Connections

AC-17(6)Protection Of Mechanism Information

AC-17(7)Additional Protection For Security Function Access

AC-17(8)Disable Nonsecure Network Protocols

AC-17(9)Disconnect Or Disable Access

AC-17(10)Authenticate Remote Commands

AC-18Wireless Access

AC-18(1)Authentication And Encryption

AC-18(2)Monitoring Unauthorized Connections

AC-18(3)Disable Wireless Networking

AC-18(4)Restrict Configurations By Users

AC-18(5)Antennas And Transmission Power Levels

AC-19Access Control For Mobile Devices

AC-19(1)Use Of Writable And Portable Storage Devices

AC-19(2)Use Of Personally Owned Portable Storage Devices

AC-19(3)Use Of Portable Storage Devices With No Identifiable Owner

AC-19(4)Restrictions For Classified Information

AC-19(5)Full Device Or Container-Based Encryption

AC-20Use Of External Systems

AC-20(1)Limits On Authorized Use

AC-20(2)Portable Storage Devices -- Restricted Use

AC-20(3)Non-Organizationally Owned Systems -- Restricted Use

AC-20(4)Network Accessible Storage Devices -- Prohibited Use

AC-20(5)Portable Storage Devices -- Prohibited Use

AC-21Information Sharing

AC-21(1)Automated Decision Support

AC-21(2)Information Search And Retrieval

AC-22Publicly Accessible Content

AC-23Data Mining Protection

AC-24Access Control Decisions

AC-24(1)Transmit Access Authorization Information

AC-24(2)No User Or Process Identity

AC-25Reference Monitor

← Back to all controls