Access control

AC-01 Access control policy and procedures

Activity

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] access control policy that
  1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
  2. is consistent with applicable laws, Orders in Council, jurisprudence, directives, regulations, policies, standards, and guidelines
2. procedures to facilitate the implementation of the access control policy and the associated access controls
Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures
Review and update the current access control
1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Access control policies and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy functions collaborate on the development of access control policy and procedures. In general, security and privacy framework policies and procedures at the organization level are preferable and may prevent the need for mission- or system-specific policies and procedures. The access control policies can be included as part of the general security and privacy framework or be represented by multiple policies reflecting the complex nature of organizations.

Procedures can be established for security and privacy, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Privacy procedures should not be ad hoc in nature.

Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, legislative changes, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

IA-01, PM-09, PM-24, PS-08, SI-02, SI-12.

Enhancements: None

References:

Top of page

AC-02 Account management

Control

Define and document the types of accounts allowed and specifically prohibited for use within the system
Assign account managers and data custodians
Require [Assignment: organization-defined prerequisites and criteria] for group and role membership
Specify
1. authorized users of the system
2. group and role membership
3. access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account
Require approvals by [Assignment: organization-defined personnel orroles] for requests to create accounts
Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]
Monitor the use of accounts
Notify account managers and [Assignment: organization-defined personnel or roles] within
1. [Assignment: organization-defined time period] when accounts are no longer required or are dormant
2. [Assignment: organization-defined time period] when users are terminated or transferred
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual
Authorize access to the system based on
1. a valid access authorization
2. intended system usage
3. [Assignment: organization-defined attributes (as required)]
Periodically review accounts for compliance with account management requirements [Assignment: organization-defined frequency]
Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group
Align account management processes with personnel termination and transfer processes

Discussion

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls related to security and privacy. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission, or business owner, senior official in the department’s security governance, data custodian, or appropriate privacy senior official or executive. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

Where access involves personal information, security and privacy officials collaborate with the data custodian to establish the specific conditions for group and role membership; identify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts.

Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the 2. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates.

Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

Related controls and activities

AC-03, AC-05, AC-06, AC-17, AC-18, AC-20, AC-24, AU-02, AU-12, CM-05, IA-02, IA-04, IA-05, IA-08, MA-03, MA-05, PE-02, PL-04, PS-02, PS-04, PS-05, PS-07, PT-02, PT-03, SC-07, SC-12, SC-13, SC-37.

Enhancements

(01) Account management: Automated system account management
- Support of system accounts using [Assignment: organization-defined automated mechanisms].
- Discussion: Automated system account management includes using automated mechanisms to
  - create, enable, modify, disable, and remove accounts
  - notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred
  - monitor system account usage; and report atypical system account usage
- Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
- Related controls and activities: None.
(02) Account management: Automated temporary and emergency accounts management
- Automatically [Selection (1): remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
- Discussion: Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.
- Related controls and activities: None.
(03) Account management: Disable accounts
- Disable accounts within [Assignment: organization-defined time period] when the accounts
  1. have expired
  2. are no longer associated with a user or individual
  3. are in violation of organizational policy
  4. have been inactive for [Assignment: organization-defined time period]
- Discussion: Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
- Related controls and activities: None
(04) Account management: Automated audit actions
- Automatically audit account creation, modification, enabling, disabling, and removal actions.
- Discussion: Account management audit records are defined in accordance with AU-02 and reviewed, analyzed, and reported in accordance with AU-06.
- Related controls and activities: AU-02, AU-06.
(05) Account management: Inactivity logout
- Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].
- Discussion: Inactivity logout is behaviour- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.
- Related controls and activities: AC-11.
(06) Account management: Dynamic privilege management
- Implement [Assignment: organization-defined dynamic privilege management capabilities].
- Discussion: In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control (ABAC).
  While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges.
  Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.
- Related controls and activities: AC-16.
(07) Account management: Privileged user accounts
- 1. Establish and administer privileged user accounts in accordance with [Selection (1): a role-based access scheme; an attribute-based access scheme]
  2. Monitor privileged role or attribute assignments
  3. Monitor changes to roles or attributes
  4. Revoke access when privileged role or attribute assignments are no longer appropriate
- Discussion: Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
- Related controls and activities: None.
(08) Account management: Dynamic account management
- Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.
- Discussion: Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.
- Related controls and activities: AC-16.
(09) Account management: Restrictions on use of shared and group accounts
- Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts].
- Discussion: Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.
- Related controls and activities: None.
(10) Account management: Shared and group account credential change
- Withdrawn: Incorporated into AC-02.
(11) Account management: Usage conditions
- Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].
- Discussion: Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.
- Related controls and activities: None.
(12) Account management: Account monitoring for atypical usage
- 1. Monitor system accounts for [Assignment: organization-defined atypical usage]
  2. Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]
- Discussion: Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behaviour by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behaviour of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment (PIA) and make determinations that are in alignment with their privacy program plan.
- Related controls and activities: AU-06, AU-07, CA-07, IR-08, SI-04.
(13) Account management: Disable accounts for high-risk individuals
- Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].
- Discussion: Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or Canada. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
- Related controls and activities: AU-06, SI-04.

References:

Top of page

AC-03 Access enforcement

Control

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Discussion

Access control policies control or document access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to documenting and enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.

Related controls and activities

AC-02, AC-04, AC-05, AC-06, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AC-24, AC-25, AT-02, AT-03, AU-09, CA-09, CM-05, CM-11, IA-02, IA-05, IA-06, IA-07, IA-11, IA-13, MA-03, MA-04, MA-05, MP-04, PM-02, PS-03, PT-02, PT-03, SA-17, SC-02, SC-03, SC-04, SC-12, SC-13, SC-28, SC-31, SC-34, SI-04, SI-08.

Enhancements

(01) Access enforcement: Restricted access to privileged functions
- Withdrawn: Incorporated into AC-06.
(02) Access enforcement: Dual authorization
- Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
- Discussion: Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of 2 authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.
- Related controls and activities: CP-09, MP-06.
(03) Access enforcement: Mandatory access control
- Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
  1. is uniformly enforced across the covered subjects and objects within the system
  2. specifies that a subject that has been granted access to information is constrained from doing any of the following
    1. passing the information to unauthorized subjects or objects
    2. granting its privileges to other subjects
    3. changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components
    4. choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects
    5. changing the rules governing access control
  3. specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints
- Discussion: Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25. The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).
  The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-06). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to protected information or classified information and some users of the system are not authorized access to all such information resident in the system.
  Mandatory access control can operate in conjunction with discretionary access control as described in AC-03(04). A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-03(04), but mandatory access control policies take precedence over the less rigorous constraints of AC-03(04). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-03(04) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.
- Related controls and activities: SC-07.
(04) Access enforcement: Discretionary access control
- Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
  1. pass the information to any other subjects or objects
  2. grant its privileges to other subjects
  3. change security attributes on subjects, objects, the system, or the system’s components
  4. choose the security attributes to be associated with newly created or revised objects
  5. change the rules governing access control
- Discussion: When discretionary access control policies are implemented, subjects are not constrained regarding what actions they can take with operational information for which they have already been granted access. However, there are restrictions for use or disclosure of personal information. Notice of uses is provided to the individual at the point of collection and the only permitted uses of the information are communicated in the Privacy Notice Statement and are restricted by uses detailed in ss. 8(2) of the Privacy Act.
  For operational records, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-03(03) and AC-03(15). A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-03(03) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-03(04) permits the subject to pass the information to any subject at the same impact or classification level.
  The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.
- Related controls and activities: None.
(05) Access enforcement: Security-relevant information
- Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
- Discussion: Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.
- Related controls and activities: CM-06, SC-39.
(06) Access enforcement: Protection of user and system information
- Withdrawn: Incorporated into MP-04 and SC-28.
(07) Access enforcement: Role-based access control
- Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
- Discussion: Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be many individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-03(03) define the scope of the subjects and objects covered by the policy.
- Related controls and activities: None.
(08) Access enforcement: Revocation of access authorizations
- Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
- Discussion: Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.
- Related controls and activities: None.
(09) Access enforcement: Controlled release
- Release information outside of the system only if:
  1. the receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]
  2. [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release
- Discussion: Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls.
  The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed must be sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.
  Controlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer.
- Related controls and activities: CA-03, PT-07, PT-08, SA-09, SC-16.
(10) Access enforcement: Audited override of access control mechanisms
- Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].
- Discussion: In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-02. Audit records are generated in AU-12.
- Related controls and activities: AU-02, AU-06, AU-10, AU-12, AU-14.
(11) Access enforcement: Restrict access to specific information types
- Restrict access to data repositories containing [Assignment: organization-defined information types].
- Discussion: Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personal information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.
- Related controls and activities: CM-08, CM-12, CM-13, PM-05.
(12) Access enforcement: Assert and enforce application access
- 1. Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]
  2. Provide an enforcement mechanism to prevent unauthorized access
  3. Approve access changes after initial installation of the application
- Discussion: Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files.
- Related controls and activities: CM-07.
(13) Access enforcement: Attribute-based access control
- Enforce ABAC policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].
- Discussion: ABAC is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules.
  When users are assigned to attributes defined in ABAC policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. ABAC can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-03(03) define the scope of the subjects and objects covered by the policy.
- Related controls and activities: None.
(14) Access enforcement: Individual access
- Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personal information: [Assignment: organization-defined elements].
- Discussion: Individual access allows individuals to access and potentially correct inaccuracies related to their personal information held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personal information is being collected, used, or disclosed by government organizations. It can also help individuals ensure that their personal information used to make administrative decisions is accurate. Access mechanisms can include request forms and application interfaces.
- GC discussion: For federal departments and agencies, the Privacy Act processes can be located in the government publication, Sources of Federal Government and Employee Information, and on departmental websites. Access to certain types of records may not be appropriate or may require certain levels of authentication assurance. Organizational personnel may consult with the appropriate privacy senior official or executive and legal counsel to determine appropriate mechanisms and access rights or limitations.
- Related controls and activities: IA-08, PM-22, PM-20, PM-21, PT-06.
(15) Access enforcement: Discretionary and mandatory access control
- 1. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy
  2. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy
- Discussion: Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or by processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.
- Related controls and activities: SC-02, SC-03, AC-04.

References:

Top of page

AC-04 Information flow enforcement

Control

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

Discussion

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-03).

Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information custodians/stewards provide guidance at designated policy enforcement points between connected systems.

Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

Custodians for personal information holdings should ensure that the minimal required personal information is shared between one system and another and, where possible, that the sharing of personal information is documented in an agreement.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content.

Organizations also consider the robustness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally unavailable in commercial off-the-shelf products (COTS). Information flow enforcement also applies to control plane traffic (e.g., routing and domain name system (DNS)).

Related controls and activities

AC-03, AC-06, AC-16, AC-17, AC-19, AC-21, AU-10, CA-03, CA-09, CM-07, PL-09, PM-24, SA-17, SC-04, SC-07, SC-16, SC-31.

Enhancements

(01) Information flow enforcement: Object security and privacy attributes
- Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
- Discussion: Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labelled Secret would be allowed to flow to a destination object labelled Secret, but an information object labelled Top Secret would not be allowed to flow to a destination object labelled Secret.
  A dataset of personal information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.
- Related controls and activities: None.
(02) Information flow enforcement: Processing domains
- Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
- Discussion: Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signalling among domains, and allowed process transitions to other domains.
- Related controls and activities: SC-39.
(03) Information flow enforcement: Dynamic information flow control
- Enforce [Assignment: organization-defined information flow control policies].
- Discussion: Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events.
- Related controls and activities: SI-04.
(04) Information flow enforcement: Flow control of encrypted information
- Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (1 or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
- Discussion: Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term “encryption” is extended to cover encoded data not recognized by filtering mechanisms.
- Related controls and activities: SI-04.
(05) Information flow enforcement: Embedded data types
- Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.
- Discussion: Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.
- Related controls and activities: None.
(06) Information flow enforcement: Metadata
- Enforce information flow control based on [Assignment: organization-defined metadata].
- Discussion: Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Metadata can also infer personal characteristics about an individual. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control.
  Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).
- Related controls and activities: AC-16, SI-07.
(07) Information flow enforcement: One-way flow mechanisms
- Enforce one-way information flows through hardware-based flow control mechanisms.
- Discussion: One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported.
- Related controls and activities: None.
(08) Information flow enforcement: Security and privacy policy filters
- 1. Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
  2. [Selection (1 or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].
- Discussion: Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. These filters can be used to improve the accuracy of data used for decision-making purposes; for example, phone numbers should include 10 digits. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.
  Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions.
  Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages.
- Related controls and activities: None.
(09) Information flow enforcement: Human reviews
- Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
- Discussion: Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.
- Related controls and activities: None.
(10) Information flow enforcement: Enable and disable security or privacy policy filters
- Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].
- Discussion: For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed.
- Related controls and activities: None.
(11) Information flow enforcement: Configuration of security or privacy policy filters
- Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.
- Discussion: Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations.
- Related controls and activities: None.
(12) Information flow enforcement: Data type identifiers
- When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.
- Discussion: Data type identifiers include file names, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The file name and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type. This can improve the integrity of data, particularly personal information, that is transmitted between systems.
- Related controls and activities: None.
(13) Information flow enforcement: Decomposition into policy-relevant subcomponents
- When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
- Discussion: Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains.
- Related controls and activities: None.
(14) Information flow enforcement: Security or privacy policy filter constraints
- When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.
- Discussion: Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Limiting size and field length to open-ended data fields can reduce the risk of over collection of personal information. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alphanumeric characters, prohibiting special characters, and validating schema structures.
- Related controls and activities: None.
(15) Information flow enforcement: Detection of unsanctioned information
- When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].
- Discussion: Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network. Limiting the collection of specific unsanctioned information can reduce the risk of collection of inappropriate personal information.
- Related controls and activities: SI-03.
(16) Information flow enforcement: Information transfers on interconnected systems
- Withdrawn: Incorporated into AC-04.
(17) Information flow enforcement: Domain authentication
- Uniquely identify and authenticate source and destination points by [Selection (1 or more): organization; system; application; service; individual] for information transfer.
- Discussion: Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personal information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.
- Related controls and activities: IA-02, IA-03, IA-09.
(18) Information flow enforcement: Security attribute binding
- Withdrawn: Incorporated into AC-16.
(19) Information flow enforcement: Validation of metadata
- When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.
- Discussion: All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload.
- Related controls and activities: None.
(20) Information flow enforcement: Approved solutions
- Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
- Discussion: Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries.
- GC discussion: The Cyber Centre provides recommendations on certified cross-domain solution (CDS) products and design patterns. Contact the Cyber Centre at contact@cyber.gc.ca for more information.
- Related controls and activities: None.
(21) Information flow enforcement: Physical or logical separation of information flows
- Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
- Discussion: Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.
- Related controls and activities: SC-32.
(22) Information flow enforcement: Access only
- Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
- Discussion: The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate.
- Related controls and activities: SI-400.
(23) Information flow enforcement: Modify non-releasable information
- When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].
- Discussion: Modifying or de-identifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration such as scrambling of data removal, or redaction.
- Related controls and activities: None.
(24) Information flow enforcement: Internal normalized format
- When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
- Discussion: Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration.
- Related controls and activities: None.
(25) Information flow enforcement: Data sanitization
- When transferring information between different security domains, sanitize data to minimize [Selection (1 or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy].
- Discussion: Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, DVDs, and Blu-rays) or in hard copy form.
- Related controls and activities: MP-06.
(26) Information flow enforcement: Audit filtering actions
- When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
- Discussion: Content filtering is the process of inspecting information as it traverses a CDS and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-02. Audit records are generated in AU-12.
- Related controls and activities: AU-02, AU-03, AU-12.
(27) Information flow enforcement: Redundant/independent filtering mechanisms
- When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
- Discussion: Content filtering is the process of inspecting information as it traverses a CDS and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., 2 JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes.
- Related controls and activities: None.
(28) Information flow enforcement: Linear filter pipelines
- When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
- Discussion: Content filtering is the process of inspecting information as it traverses a CDS and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues.
- Related controls and activities: None.
(29) Information flow enforcement: Filter orchestration engines
- When transferring information between different security domains, employ content filter orchestration engines to ensure that:
  1. content filtering mechanisms successfully complete execution without errors
  2. content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]
- Discussion: Content filtering is the process of inspecting information as it traverses a CDS and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully.
- Related controls and activities: None.
(30) Information flow enforcement: Filter mechanisms using multiple processes
- When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
- Discussion: The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure.
- Related controls and activities: None.
(31) Information flow enforcement: Failed content transfer prevention
- When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
- Discussion: Content that failed filtering checks can corrupt the system if transferred to the receiving domain.
- Related controls and activities: None.
(32) Information flow enforcement: Process requirements for information transfer
- When transferring information between different security domains, the process that transfers information between filter pipelines:
  1. does not filter message content
  2. validates filtering metadata
  3. ensures the content associated with the filtering metadata has successfully completed filtering
  4. transfers the content to the destination filter pipeline
- Discussion: The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly.
- Related controls and activities: None.

References:

Top of page

AC-05 Separation of duties

Control

Identify and document [Assignment: organization-defined duties of individuals requiring separation]
Define system access authorizations to support separation of duties

Discussion

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions.

Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-02, access control mechanisms in AC-03, and identity management activities in IA-02, IA-04, and IA-12.

Related controls and activities

AC-02, AC-03, AC-06, AU-09, CM-05, CM-11, CP-09, IA-02, IA-04, IA-05, IA-12, MA-03, MA-05, PS-02, SA-08, SA-17.

Enhancements

None.

References

None.

Top of page

AC-06 Least privilege

Control

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Discussion

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

Related controls and activities

AC-02, AC-03, AC-05, AC-16, CM-05, CM-11, PL-02, PM-12, SA-08, SA-15, SA-17, SC-38.

Enhancements

(01) Least privilege: Authorize access to security functions
- Authorize access for [Assignment: organization-defined individuals or roles] to:
  1. [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]
  2. [Assignment: organization-defined security-relevant information]
- Discussion: Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters.
  Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists.
  Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.
- Related controls and activities: AC-17, AC-18, AC-19, AU-09, PE-02.
(02) Least privilege: Non-privileged access to non-security functions
- Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing non-security functions.
- Discussion: Requiring the use of non-privileged accounts when accessing non-security functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
- Related controls and activities: AC-17, AC-18, AC-19, PL-04.
(03) Least privilege: Network access to privileged commands
- Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.
- Discussion: Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).
- Related controls and activities: AC-17, AC-18, AC-19.
(04) Least privilege: Separate processing domains
- Provide separate processing domains to enable finer-grained allocation of user privileges.
- Discussion: Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.
- Related controls and activities: AC-04, SC-02, SC-03, SC-30, SC-32, SC-39.
(05) Least privilege: Privileged accounts
- Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].
- Discussion: Privileged accounts, including super user accounts, are typically described as the system administrator for various types of COTS operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.
- Related controls and activities: IA-02, MA-03, MA-04.
(06) Least privilege: Privileged access by non-organizational users
- Prohibit privileged access to the system by non-organizational users.
- Discussion: An organizational user is an employee, or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization.
- Related controls and activities: AC-18, AC-19, IA-02, IA-08.
(07) Least privilege: Review of user privileges
- 1. Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges
  2. Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs
- Discussion: The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.
- Related controls and activities: CA-07.
(08) Least privilege: Privilege levels for code execution
- Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].
- Discussion: In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.
- Related controls and activities: None.
(09) Least privilege: Log use of privileged functions
- Log the execution of privileged functions.
- Discussion: The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and help mitigate the risk from insider threats and the advanced persistent threat (APT).
- Related controls and activities: AU-02, AU-03, AU-12.
(10) Least privilege: Prohibit non-privileged users from executing privileged functions
- Prevent non-privileged users from executing privileged functions.
- Discussion: Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations.
  Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-03.
- Related controls and activities: None.

References

None.

Top of page

AC-07 Unsuccessful logon attempts

Control

Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]
Automatically [Selection (1 or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded

Discussion

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period.

If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels.

Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address.

If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

Related controls and activities

AC-02, AC-09, AU-02, AU-06, IA-05.

Enhancements

(01) Unsuccessful logon attempts: Automatic account lock
- Withdrawn: Incorporated into AC-07.
(02) Unsuccessful logon attempts: Purge or wipe mobile device
- Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.
- Discussion: A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source.
  Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.
- Related controls and activities: AC-19, MP-05, MP-06.
(03) Unsuccessful logon attempts: Biometric attempt limiting
- Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].
- Discussion: Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally defined factors.
- Related controls and activities: IA-03.
(04) Unsuccessful logon attempts: Use of alternate authentication factor
- 1. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded
  2. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]
- Discussion: The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.
- Related controls and activities: IA-03.

References:

User authentication guidance for information technology systems (ITSP.30.031)

Top of page

AC-08 System use notification

Control

Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines and state that
1. users are accessing a GC system
2. system usage may be monitored, recorded, and subject to audit
3. unauthorized use of the system is prohibited and subject to criminal and civil penalties
4. the relevant personal information bank (PIB) reference, if applicable
5. legal authority for the collection of personal information
6. any legal or administrative consequences for refusing to provide the personal information
7. the rights of access to, correction and protection of personal information
8. how the information will be used
9. the right to file a complaint to the Privacy Commissioner of Canada regarding the institution’s handling of the individual’s personal information
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system
For publicly accessible systems
1. display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system
2. display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities
3. include a description of the authorized uses of the system

Discussion

System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on a risk assessment, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users.

This control legally enables additional security controls such as monitoring, auditing, identifier management, acceptable use enforcement, anomalous behaviour detection, and tainting/watermarking.

GC discussion

Organizations consult with the privacy office for input regarding privacy messaging and the TBS or organizational equivalent for legal review and approval of warning banner content. System use notifications may be privacy notice statements (PNS) for systems users.

Related controls and activities

AC-04, AC-14, AC-25, AU-01, AU-16, CA-01, CA-07, CM-13, IA-04, PL-04, PT-02, PT-03, PT-04, PT-05, PT-06, RA-08, SI-04, SI-12, SI-18, SI-19, SI-20, SI-21, SR-03, SR-05.

Enhancements

None.

References:

Top of page

AC-09 Previous logon notification

Control

Notify the user, upon successful logon to the system, of the date and time of the last logon.

Discussion

Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access.

Related controls and activities

AC-07, PL-04.

Enhancements

(01) Previous logon notification: Unsuccessful logons
- Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
- Discussion: Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts.
- Related controls and activities: None.
(02) Previous logon notification: Successful and unsuccessful logons
- Notify the user, upon successful logon, of the number of [Selection (1): successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].
- Discussion: Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.
- Related controls and activities: None.
(03) Previous logon notification: Notification of account changes
- Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period].
- Discussion: Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.
- Related controls and activities: None.
(04) Previous logon notification: Additional logon information
- Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].
- Discussion: Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as IP addresses from which network logons occurred, notifications of local logons, or device identifiers.
- Related controls and activities: None.

References

None.

Top of page

AC-10 Concurrent session control

Control

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

Discussion

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

Related controls and activities

SC-23.

Enhancements

None.

References

None.

Top of page

AC-11 Device lock

Control

Prevent further access to the system by [Selection (1 or more): initiating a device lock after [Assignment: organization-defined tie period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]
Retain the device lock until the user re-establishes access using established identification and authentication procedures

Discussion

Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level.

A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behaviour or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.

Related controls and activities

AC-02, AC-07, IA-11, PL-04.

Enhancements

(01) Device lock: Pattern-hiding displays
- Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
- Discussion: The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that protected information is not displayed.
- Related controls and activities: None.

References

None.

Top of page

AC-12 Session termination

Activity/Control: Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Discussion

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10, which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions.

Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

Related controls and activities

MA-04, SC-10, SC-23.

Enhancements

(01) Session termination: User-initiated logouts
- Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].
- Discussion: Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.
- Related controls and activities: None.
(02) Session termination: Termination message
- Display an explicit logout message to users indicating the termination of authenticated communications sessions.
- Discussion: Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions.
- Related controls and activities: None.
(03) Session termination: Timeout warning message
- Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].
- Discussion: To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the AC-12 base control.
- Related controls and activities: None.

References

None.

AC-13 Supervision and review – access control

Withdrawn: Incorporated into AC-02 and AU-06.

Top of page

AC-14 Permitted actions without identification or authentication

Control

Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication

Discussion

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received.

Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use.

Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.

Related controls and activities

AC-08, IA-02, PL-02.

Enhancements

(01) Permitted actions without identification or authentication: Necessary uses
- Withdrawn: Incorporated into AC-14.

References

None.

AC-15 Automated marking

Withdrawn: Incorporated into MP-03.

Top of page

AC-16 Security and privacy attributes

Control

Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission
Ensure that the attribute associations are made and retained with the information
Establish the following permitted security and privacy attributes from the attributes defined in AC-16A for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]
Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]
Audit changes to attributes
Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]

Discussion

Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personal information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.

Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type.

Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personal information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.

Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labelling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., Top Secret, Secret, Confidential, Protected), information impact level; high value asset information, access authorizations, nationality; data lifecycle protection (i.e., encryption and data expiration), personal information processing permissions, including individual consent to personal information processing, and contractor affiliation.

A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., Top Secret, Secret, Confidential). See MP-03 (Media Marking).

Related controls and activities

AC-03, AC-04, AC-06, AC-21, AC-25, AU-02, AU-10, MP-03, PE-22, PT-02, PT-03, PT-04, SC-11, SC-16, SI-12, SI-18, SA-400.

Enhancements

(01) Security and privacy attributes: Dynamic attribute association
- Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].
- Discussion: Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally.
- Related controls and activities: None.
(02) Security and privacy attributes: Attribute value changes by authorized individuals
- Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
- Discussion: The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals.
- Related controls and activities: None.
(03) Security and privacy attributes: Maintenance of attribute associations by system
- Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects].
- Discussion: Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from known good baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions.
- Related controls and activities: None.
(04) Security and privacy attributes: Association of attributes by authorized individuals
- Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
- Discussion: Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails).
  The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.
- Related controls and activities: None.
(05) Security and privacy attributes: Attribute displays on objects to be output
- Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions].
- Discussion: System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber.
- Related controls and activities: None.
(06) Security and privacy attributes: Maintenance of attribute association
- Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].
- Discussion: Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects.
- Related controls and activities: None.
(07) Security and privacy attributes: Consistent attribute interpretation
- Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
- Discussion: To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions.
- Related controls and activities: None.
(08) Security and privacy attributes: Association techniques and technologies
- Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.
- Discussion: The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).
- Related controls and activities: SC-12, SC-13.
(09) Security and privacy attributes: Attribute reassignment — regrading mechanisms
- Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].
- Discussion: A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation.
- Related controls and activities: None.
(10) Security and privacy attributes: Attribute configuration by authorized individuals
- Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
- Discussion: The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only.
- Related controls and activities: None.

References:

Top of page

AC-17 Remote access

Control

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed
Authorize each type of remote access to the system prior to allowing such connections

Discussion

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.

Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-03. Enforcing access restrictions for remote access is addressed via AC-03.

GC discussion

The organization ensures that all employees working off-site safeguard information as per the minimum requirements in accordance with the TBS Directive on Security Management, Appendix C: Mandatory Procedures for Physical Security Control.

Related controls and activities

AC-02, AC-03, AC-04, AC-18, AC-19, AC-20, CA-03, CM-10, IA-02, IA-03, IA-08, MA-04, PE-17, PE-400, PL-02, PL-04, SC-10, SC-12, SC-13, SI-04.

Enhancements

(01) Remote access: Monitoring and control
- Employ automated mechanisms to monitor and control remote access methods.
- Discussion: Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-02. Audit events are defined in AU-02A.
- Related controls and activities: AU-02, AU-06, AU-12, AU-14.
(02) Remote access: Protection of confidentiality and integrity using encryption
- Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
- Discussion: VPNs can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.
- Related controls and activities: SC-08, SC-12, SC-13.
(03) Remote access: Managed access control points
- Route remote accesses through authorized and managed network access control points.
- Discussion: Organizations consider a managed access control points solution for external network connections since limiting the number of access control points for remote access reduces attack surfaces.
- GC discussion: GC departments and agencies consider the secure remote access infrastructure provided by Shared Services Canada for external network connections.
- Related controls and activities: SC-07.
(04) Remote access: Privileged commands and access
- 1. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides trustworthy evidence and for the following needs: [Assignment: organization-defined needs]
  2. Document the rationale for remote access in the security plan for the system
- Discussion: Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.
- Related controls and activities: AC-06, SC-12, SC-13.
(05) Remote access: Monitoring for unauthorized connections
- Withdrawn: Incorporated into SI-04.
(06) Remote access: Protection of mechanism information
- Protect information about remote access mechanisms from unauthorized use and disclosure.
- Discussion: Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behaviour (see PL-04) and access agreements (see PS-06).
- Related controls and activities: AT-02, AT-03, PS-06.
(07) Remote access: Additional protection for security function access
- Withdrawn: Incorporated into AC-03(10).
(08) Remote access: Disable nonsecure network protocols
- Withdrawn: Incorporated into CM-07.
(09) Remote access: Disconnect or disable access
- Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].
- Discussion: The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.
- Related controls and activities: None.
(10) Remote access: Authenticate remote commands
- Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].
- Discussion: Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high-value assets, failure of mission or business functions, or compromise of classified or protected information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands.
- Related controls and activities: SC-12, SC-13, SC-23.
(400) Remote access: Privileged accounts remote access
- Remote access to privileged accounts is done from dedicated management consoles only.
- Discussion: Remote access to privileged accounts is performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g., Internet access not allowed). In the context of this control, remote access means anything not local to the host.
- Related controls and activities: SI-400.

References:

Top of page

AC-18 Wireless access

Control

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access
Authorize each type of wireless access to the system prior to allowing such connections

Discussion

Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.

Related controls and activities

AC-02, AC-03, AC-17, AC-19, CA-09, CM-07, IA-02, IA-03, IA-08, PL-04, SC-40, SC-43, SI-04.

Enhancements

(01) Wireless access: Authentication and encryption
- Protect wireless access to the system using authentication of [Selection (1 or more): users; devices] and encryption.
- Discussion: Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.
- Related controls and activities: SC-08, SC-12, SC-13.
(02) Wireless access: Monitoring unauthorized connections
- Withdrawn: Incorporated into SI-04.
(03) Wireless access: Disable wireless networking
- Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
- Discussion: Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.
- Related controls and activities: None.
(04) Wireless access: Restrict configurations by users
- Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.
- Discussion: Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems.
- Related controls and activities: SC-07, SC-15.
(05) Wireless access: Antennas and transmission power levels
- Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
- Discussion: Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area.
- Related controls and activities: PE-19.

References:

Security requirements for wireless local area networks (ITSG-41)
Guidance on securely configuring network protocols (ITSP.40.062)
Criteria for the design, fabrication, supply, installation and acceptance testing of walk-in, radio-frequency-shielded enclosures (ITSG-02) (available upon request from the Cyber Centre’s Contact Centre by email at contact@cyber.gc.ca or by phone at 1-833-CYBER-88 (1-833-292-3788))

Top of page

AC-19 Access control for mobile devices

Control

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas
Authorize the connection of mobile devices to organizational systems

Discussion

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets.

Mobile devices are typically associated with a single individual, with some information defined as personal. For example, mobile devices can triangulate access enabling identification of the individual’s geolocation. In addition, some work-issued mobile devices enable personal profiles. Government departments should establish policies and procedures to document the custody and control of personal transactions completed in the personal profile, on work-issued mobile devices.

The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behaviour or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19. Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled. AC-08 lists the notice requirements for collection of personal information associated with the use of government-issued work cell phones.

Related controls and activities

AC-03, AC-04, AC-07, AC-08, AC-11, AC-17, AC-18, AC-20, CA-09, CM-02, CM-06, IA-02, IA-03, MP-02, MP-04, MP-05, MP-07, PL-04, SC-07, SC-34, SC-43, SI-03, SI-04.

Enhancements

(01) Access control for mobile devices: Use of writeable and portable storage devices
- Withdrawn: Incorporated into MP-07.
(02) Access control for mobile devices: Use of personally owned portable storage devices
- Withdrawn: Incorporated into MP-07.
(03) Access control for mobile devices: Use of portable storage devices with no identifiable owner
- Withdrawn: Incorporated into MP-07.
(04) Access control for mobile devices: Restrictions for classified information
- 1. Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official
  2. Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information
    1. connection of unclassified mobile devices to classified systems is prohibited
    2. connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official
    3. use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited
    4. unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed
  3. Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]
- Discussion: None.
- Related controls and activities: CM-08, IR-04.
(05) Access control for mobile devices: Full device or container-based encryption
- Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
- Discussion: Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.
- Related controls and activities: SC-12, SC-13, SC-28.
(400) Access control for mobile devices: Wireless devices
- Withdrawn: Moved to SC-42(400).

References:

TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
Security requirements for sireless local area networks (ITSG-41)
Security considerations for mobile device deployments (ITSAP.70.002)
Security configurations and best practices to protect your mobile device (ITSM.80.002)
Securing the enterprise for mobility (ITSM.80.001)

Top of page

AC-20 Use of external systems

Control

[Selection (1 or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to
1. access the system from external systems
2. process, store, or transmit organization-controlled information using external systems
Prohibit the use of [Assignment: organizationally-defined types of external systems]

Discussion

External systems are systems that are used by but are not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by non-federal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally owned systems).

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, Orders in Council, directives, regulations, policies, or standards.

Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behaviour regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on provincial, territorial, or municipal governments.

External systems used to access public interfaces to organizational systems are outside the scope of AC-20. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

Related controls and activities

AC-02, AC-03, AC-17, AC-19, CA-03, PL-02, PL-04, SA-09, SC-07.

Enhancements

(01) Use of external systems: Limits on authorized use
- Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after
  1. verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans
  2. retention of approved system connection or processing agreements with the organizational entity hosting the external system
- Discussion: Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as to not compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
- Related controls and activities: CA-02.
(02) Use of external systems: Portable storage devices — restricted use
- Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions].
- Discussion: Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.
- Related controls and activities: MP-07, SC-41.
(03) Use of external systems: Non-organizationally owned systems — restricted use
- Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions].
- Discussion: Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20B.). In other cases, the use of such systems or system components may be allowed but restricted in some way.
  Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the Privacy Commissioner (OPC) of Canada regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.
- Related controls and activities: None.
(04) Use of external systems: Network accessible storage devices — prohibited use
- Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems.
- Discussion: Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems.
- Related controls and activities: None.
(05) Use of external systems: Portable storage devices — prohibited use
- Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.
- Discussion: Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and/or nontechnical (i.e., process-based) methods.
- Related controls and activities: MP-07, PL-04, PS-06, SC-41.

References:

Top of page

AC-21 Information sharing

Control

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]
Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions

Discussion

Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, protected information, classified information related to special access programs or compartments, privileged information, proprietary information, and personal information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations.

Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may require non-disclosure agreements and access rights should be defined at the recipient organization based on permissible uses of the information and a demonstrated need-to-know. Information shared should be limited to the least amount of information required by the recipient organization. Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.

Related controls and activities

AC-03, AC-04, AC-08, AC-16, PT-02, PT-07, RA-03, SC-15.

Enhancements

(01) Information sharing: Automated decision support
- Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
- Discussion: Automated mechanisms are used to enforce information sharing decisions.
- Related controls and activities: None.
(02) Information sharing: Information search and retrieval
- Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
- Discussion: Information search and retrieval services identify information system resources relevant to an information need.
- Related controls and activities: None.
(400) Information sharing: Information sharing agreement
- Ensure through written agreements the appropriate safeguarding of sensitive information shared with external public-sector entities and organizations.
- Discussion: An agreement outlines the terms and conditions under which personal information is disclosed between parties and may or may not be legally binding. Ensure that the agreement documents the legislative authorities, permissible uses, and retention standards for the recipient organization.
- Related controls and activities: PT-08.
(401) Information sharing: Information sharing arrangement
- Ensure through written arrangements the appropriate safeguarding of sensitive information shared between and within federal institutions.
- Discussion: None.
- GC discussion: An arrangement outlines the terms and conditions under which personal information is disclosed between parties and is not legally binding. Ensure that the arrangement documents the legislative authorities, permissible uses, and retention standards for the recipient organization.
- Related controls and activities: PT-08.

References:

Top of page

AC-22 Publicly accessible content

Control

Designate individuals authorized to make information publicly accessible
Train authorized individuals to ensure that publicly accessible information does not contain non-public information
Review the proposed content of information prior to posting onto the publicly accessible system to ensure that non-public information is not included
Review the content on the publicly accessible system for non-public information [Assignment: organization-defined frequency] and remove such information, if discovered

Discussion

In accordance with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to non-public information, including personal information, information protected under the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

Related controls and activities

AC-03, AT-02, AT-03, AU-13.

Enhancements

None.

References

None.

Top of page

AC-23 Data mining protection

Control

Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining.

Discussion

Data mining is an analytical process that attempts to find correlations or patterns in large datasets for the purpose of data or knowledge discovery, at times matching information about the individual across datasets (data matching). Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personal information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Ahead of any data mining activity, these privacy risks need to be identified, addressed, and when appropriate, mitigated. Prior to performing data mining activities, organizations determine whether such activities are authorized in law.

Data mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Notification of atypical queries or accesses to the appropriate personnel is essential as they may constitute a privacy or security breach. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for inappropriate releases of organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information.

GC discussion

The creation of personal information is governed by the same restrictions designated in the Privacy Act related to the collection of personal information. Organizations may be subject to applicable laws, Orders in Council, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the appropriate privacy senior official or executive and legal counsel regarding such requirements.

Related controls and activities

PM-12, PT-02.

Enhancements

None.

References

None.

Top of page

AC-24 Access control decisions

Control

[Selection (1 or more): Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

Discussion

Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.

Related controls and activities

AC-02, AC-03.

Enhancements

(01) Access control decisions: Transmit access authorization information
- Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.
- Discussion: Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.
- Related controls and activities: AU-10.
(02) Access control decisions: No user or process identity
- Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.
- Discussion: In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.
- Related controls and activities: None.

References

None.

Top of page

AC-25 Reference monitor

Control

Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

Discussion

A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes.

Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smaller size helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy.

Related controls and activities

AC-03, AC-08, AC-16, SA-08, SA-17, SC-03, SC-11, SC-39, SI-13.

Enhancements

None.

References

None.

Table of Contents

On this page

AC-01 Access control policy and procedures

Activity

Discussion

Related controls and activities

AC-02 Account management

Control

Discussion

Related controls and activities

Enhancements

AC-03 Access enforcement

Control

Discussion

Related controls and activities

Enhancements

AC-04 Information flow enforcement

Control

Discussion

Related controls and activities

Enhancements

AC-05 Separation of duties

Control

Discussion

Related controls and activities

Enhancements

References

AC-06 Least privilege

Control

Discussion

Related controls and activities

Enhancements

References

AC-07 Unsuccessful logon attempts

Control

Discussion

Related controls and activities

Enhancements

AC-08 System use notification

Control

Discussion

GC discussion

Related controls and activities

Enhancements

AC-09 Previous logon notification

Control

Discussion

Related controls and activities

Enhancements

References

AC-10 Concurrent session control

Control

Discussion

Related controls and activities

Enhancements

References

AC-11 Device lock

Control

Discussion

Related controls and activities

Enhancements

References

AC-12 Session termination

Discussion

Related controls and activities

Enhancements

References

AC-13 Supervision and review – access control

AC-14 Permitted actions without identification or authentication

Control

Discussion

Related controls and activities

Enhancements

References

AC-15 Automated marking

AC-16 Security and privacy attributes

Control

Discussion

Related controls and activities

Enhancements