Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL
OSCAL Catalogs
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations
AC
AC: Access Control
An OSCAL Group
Statement
N/A
AC - Access Control
126 Controls
AC-1 - Access Control Policy and Procedures
AC-2 - Account Management
13 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Removal of Temporary / Emergency Accounts
AC-2.3 - Disable Inactive Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.6 - Dynamic Privilege Management
AC-2.7 - Role-based Schemes
AC-2.8 - Dynamic Account Creation
AC-2.9 - Restrictions On Use of Shared / Group Accounts
AC-2.10 - Shared / Group Account Credential Termination
AC-2.11 - Usage Conditions
AC-2.12 - Account Monitoring / Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
10 Subcontrols
AC-3.1 - Restricted Access to Privileged Functions
AC-3.2 - Dual Authorization
AC-3.3 - Mandatory Access Control
AC-3.4 - Discretionary Access Control
AC-3.5 - Security-relevant Information
AC-3.6 - Protection of User and System Information
AC-3.7 - Role-based Access Control
AC-3.8 - Revocation of Access Authorizations
AC-3.9 - Controlled Release
AC-3.10 - Audited Override of Access Control Mechanisms
AC-4 - Information Flow Enforcement
22 Subcontrols
AC-4.1 - Object Security Attributes
AC-4.2 - Processing Domains
AC-4.3 - Dynamic Information Flow Control
AC-4.4 - Content Check Encrypted Information
AC-4.5 - Embedded Data Types
AC-4.6 - Metadata
AC-4.7 - One-way Flow Mechanisms
AC-4.8 - Security Policy Filters
AC-4.9 - Human Reviews
AC-4.10 - Enable / Disable Security Policy Filters
AC-4.11 - Configuration of Security Policy Filters
AC-4.12 - Data Type Identifiers
AC-4.13 - Decomposition into Policy-relevant Subcomponents
AC-4.14 - Security Policy Filter Constraints
AC-4.15 - Detection of Unsanctioned Information
AC-4.16 - Information Transfers On Interconnected Systems
AC-4.17 - Domain Authentication
AC-4.18 - Security Attribute Binding
AC-4.19 - Validation of Metadata
AC-4.20 - Approved Solutions
AC-4.21 - Physical / Logical Separation of Information Flows
AC-4.22 - Access Only
AC-5 - Separation of Duties
AC-6 - Least Privilege
10 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.3 - Network Access to Privileged Commands
AC-6.4 - Separate Processing Domains
AC-6.5 - Privileged Accounts
AC-6.6 - Privileged Access by Non-organizational Users
AC-6.7 - Review of User Privileges
AC-6.8 - Privilege Levels for Code Execution
AC-6.9 - Auditing Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
2 Subcontrols
AC-7.1 - Automatic Account Lock
AC-7.2 - Purge / Wipe Mobile Device
AC-8 - System Use Notification
AC-9 - Previous Logon (access) Notification
4 Subcontrols
AC-9.1 - Unsuccessful Logons
AC-9.2 - Successful / Unsuccessful Logons
AC-9.3 - Notification of Account Changes
AC-9.4 - Additional Logon Information
AC-10 - Concurrent Session Control
AC-11 - Session Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
1 Subcontrol
AC-12.1 - User-initiated Logouts / Message Displays
AC-13 - Supervision and Review - Access Control
AC-14 - Permitted Actions Without Identification or Authentication
1 Subcontrol
AC-14.1 - Necessary Uses
AC-15 - Automated Marking
AC-16 - Security Attributes
10 Subcontrols
AC-16.1 - Dynamic Attribute Association
AC-16.2 - Attribute Value Changes by Authorized Individuals
AC-16.3 - Maintenance of Attribute Associations by Information System
AC-16.4 - Association of Attributes by Authorized Individuals
AC-16.5 - Attribute Displays for Output Devices
AC-16.6 - Maintenance of Attribute Association by Organization
AC-16.7 - Consistent Attribute Interpretation
AC-16.8 - Association Techniques / Technologies
AC-16.9 - Attribute Reassignment
AC-16.10 - Attribute Configuration by Authorized Individuals
AC-17 - Remote Access
9 Subcontrols
AC-17.1 - Automated Monitoring / Control
AC-17.2 - Protection of Confidentiality / Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands / Access
AC-17.5 - Monitoring for Unauthorized Connections
AC-17.6 - Protection of Information
AC-17.7 - Additional Protection for Security Function Access
AC-17.8 - Disable Nonsecure Network Protocols
AC-17.9 - Disconnect / Disable Access
AC-18 - Wireless Access
5 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.2 - Monitoring Unauthorized Connections
AC-18.3 - Disable Wireless Networking
AC-18.4 - Restrict Configurations by Users
AC-18.5 - Antennas / Transmission Power Levels
AC-19 - Access Control for Mobile Devices
5 Subcontrols
AC-19.1 - Use of Writable / Portable Storage Devices
AC-19.2 - Use of Personally Owned Portable Storage Devices
AC-19.3 - Use of Portable Storage Devices with No Identifiable Owner
AC-19.4 - Restrictions for Classified Information
AC-19.5 - Full Device / Container-based Encryption
AC-20 - Use of External Information Systems
4 Subcontrols
AC-20.1 - Limits On Authorized Use
AC-20.2 - Portable Storage Devices
AC-20.3 - Non-organizationally Owned Systems / Components / Devices
AC-20.4 - Network Accessible Storage Devices
AC-21 - Information Sharing
2 Subcontrols
AC-21.1 - Automated Decision Support
AC-21.2 - Information Search and Retrieval
AC-22 - Publicly Accessible Content
AC-23 - Data Mining Protection
AC-24 - Access Control Decisions
2 Subcontrols
AC-24.1 - Transmit Access Authorization Information
AC-24.2 - No User or Process Identity
AC-25 - Reference Monitor