π AC β Access Control
Limit system access to authorized users, processes, and devices
β Back to all domains22 Practices
Limit system access to authorized users, processes acting on behalf of authorized users, and devices
This control means ensuring only the right people, automated processes, and devices can access your systems. Think of it like a bouncer at a clubβonly...
Limit system access to the types of transactions and functions that authorized users are permitted to execute
This control ensures that users can only perform actions and access functions within a system that they are explicitly authorized to use. Think of it ...
Use session lock with pattern-hiding displays
This practice requires organizations to implement session locks on devices that display sensitive information. A session lock automatically locks the ...
Terminate (automatically) a user session after a defined condition
This control requires systems to automatically log users out after a period of inactivity or other defined condition (like a security event). Think of...
Monitor and control remote access sessions
This control requires organizations to actively track and manage remote connections to their systems. It means ensuring that only authorized users can...
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
This practice requires that organizations use encryption to secure remote access sessions, ensuring that sensitive data transmitted over these session...
Route remote access via managed access control points
This control requires that all remote access to your organization's systems (like employees working from home or vendors accessing your network) must ...
Authorize remote execution of privileged commands and remote access to security-relevant information
This control requires organizations to formally approve and document who can remotely execute high-level (privileged) commands or access sensitive sec...
Authorize wireless access prior to allowing such connections
This control requires organizations to formally approve and document any wireless devices or users before they can connect to the network. Think of it...
Protect wireless access using authentication and encryption
This control requires organizations to secure their wireless networks by ensuring that only authorized users can access them and that all data transmi...
Control connection of mobile devices
This control requires organizations to manage and restrict how mobile devices connect to their systems and networks. Mobile devices include smartphone...
Encrypt CUI on mobile devices and mobile computing platforms
This control requires that any Controlled Unclassified Information (CUI) stored on mobile devices or mobile computing platforms (such as laptops, tabl...
Verify and control/limit connections to and use of external systems
This control requires organizations to monitor and restrict how their internal systems connect to external systems (like cloud services, vendors, or p...
Limit use of portable storage devices on external systems
This practice requires organizations to control and restrict the use of portable storage devices (like USB drives, external hard drives, or SD cards) ...
Control CUI posted or processed on publicly accessible systems
This control requires that any Controlled Unclassified Information (CUI) must not be posted or processed on systems that are publicly accessible. Publ...
Control the flow of CUI in accordance with approved authorizations
This practice requires organizations to ensure that Controlled Unclassified Information (CUI) only moves between systems and users based on approved p...
Separate the duties of individuals to reduce the risk of malevolent activity
This practice requires organizations to assign different responsibilities to different people to prevent any single individual from having too much co...
Employ the principle of least privilege
The principle of least privilege means giving users and systems only the minimum access they need to perform their job functions. This reduces the ris...
Use non-privileged accounts or roles when accessing nonsecurity functions
This control means that employees should use standard user accounts (not admin or privileged accounts) for everyday tasks like checking email, browsin...
Prevent non-privileged users from executing privileged functions
This practice ensures that only authorized users with elevated privileges can perform critical system operations, such as installing software, changin...
Limit unsuccessful logon attempts
This practice requires organizations to set a limit on the number of unsuccessful login attempts a user can make before their account is locked or tem...
Provide privacy and security notices consistent with applicable CUI rules
This practice requires organizations to clearly inform users about privacy and security policies when handling Controlled Unclassified Information (CU...