Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
All information systems shall enforce approved authorizations for logical access to information and information system resources in accordance with approved access control policies.
Additionally, all information systems shall, at a minimum, enforce a Discretionary Access Control (DAC) policy that:
Allows users to specify and control sharing by named individuals or groups of individuals, or by both
Click here to enter text.
Limits propagation of access rights
Click here to enter text.
Includes or excludes access to the granularity of a single user
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization enforces dual authorization for all transfers of data from a classified computer network to removable media.
This includes the technical separation of roles (e.g., DTA and ISSM or designated representative etc.). Only trained Data Transfer Agents (DTAs) are authorized to transfer data from a IS to removable media. Only ISSM and/or designated representatives are authorized to enable permissions to transfer data to removable media. This control supports insider threat mitigation.
Data transfer authorization enforcement can be performed by the organization, but should have technical separation of roles to support the organization’s implemented dual authorization process. Example of implementation meeting the spirit of AC-3(2): The organization policy states that appropriately trained Data Transfer/Trusted Download Agents are the only individuals authorized to transfer data from a classified system to removable media and only the ISSM and/or designatedrepresentatives are authorized to enable permissions to transfer removable media.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS enforces discretionary access control to include or exclude access to the granularity of a single user who may be granted authorization to
Pass information to other subjects or objects;
Grant privileges to other subjects;
Change security attributes;
Choose security attributes for newly created or revised objects; and
Change rule governing access control when authorized. The assumption is that some user data/information in organizational information systems is not shareable with other users who have authorized access to the same systems. Address at a minimum: allow uses to specify and control sharing by named individuals or groups; limit propagation of access rights; include or exclude access to the granularity of a single user.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.2.3.3AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28