Trustmark Definition (TD):
Security - Minimum Access Control

Metadata


Identifierhttps://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/security-minimum-access-control/1.0/
NameSecurity - Minimum Access Control
Version1.0
Publication Date2015-06-16
Trustmark Defining Organization
Identifierhttps://trustmark.gtri.gatech.edu/
NameGeorgia Tech Research Institute
PRIMARY Contact
EmailTrustmarkFeedback@gtri.gatech.edu
Telephone404-407-8956
Mailing Address75 5th Street NW, Suite 900, Atlanta, GA 30308
DescriptionThis Trustmark Definition defines the conformance and assessment criteria for organizational compliance with minimum security requirements for Access Control based on National Institute for Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 and the information assurance controls for 'low impact' systems as defined by NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Including updates as of 01-15-2014)
Target StakeholdersOrganizations and relying parties interested in systems' compliance with NIST 800-53 standards.
Target RecipientsOrganizations that desire to provide and/or consume services compliant with NIST 800-53 standards.
Target Relying PartiesRelying parties interested in systems' compliance with NIST 800-53 standards.
Target ProvidersTrustmark Providers evaluating organizations for compliance with NIST 800-53 standards.
Provider CriteriaAny organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.
Assessor QualificationsAny individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.
Trustmark Revocation CriteriaFor any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.
Extension DescriptionThis Trustmark Definition requires no extension data.
Legal NoticeThis document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.
NotesThe Georgia Tech Research Institute (GTRI) has published this document with the support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) via the National Institute of Standards and Technology (NIST). The views expressed herein do not necessarily reflect the official policies of GTRI, NIST or NSTIC; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.

Conformance Criteria (12)


1: FIPS-Access-Control

Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

2: AC-1

Organizations must implement security control AC-1, Access Control Policy and Procedures, in accordance with NIST SP800-53R4.

Citation(s)

3: AC-2

Organizations must implement security control AC-2, Account Management, in accordance with NIST SP800-53R4.

Citation(s)

4: AC-3

Organizations must implement security control AC-3, Access Enforcement, in accordance with NIST SP800-53R4.

Citation(s)

5: AC-7

Organizations must implement security control AC-7, Unsuccessful Logon Attempts, in accordance with NIST SP800-53R4.

Citation(s)

6: AC-8

Organizations must implement security control AC-8, System Use Notification, in accordance with NIST SP800-53R4.

Citation(s)

7: AC-14

Organizations must implement security control AC-14, Permitted Actions without Identification or Authentication, in accordance with NIST SP800-53R4.

Citation(s)

8: AC-17

Organizations must implement security control AC-17, Remote Access, in accordance with NIST SP800-53R4.

Citation(s)

9: AC-18

Organizations must implement security control AC-18, Wireless Access, in accordance with NIST SP800-53R4.

Citation(s)

10: AC-19

Organizations must implement security control AC-19, Access Control for Mobile Devices, in accordance with NIST SP800-53R4.

Citation(s)

11: AC-20

Organizations must implement security control AC-20, Use of External Information Systems, in accordance with NIST SP800-53R4.

Citation(s)

12: AC-22

Organizations must implement security control AC-22, Publicly Accessible Content, in accordance with NIST SP800-53R4.

Citation(s)

Assessment Steps (12)


Assessment Steps

1: FIPS-Access-Control-Step (FIPS_Access_Control_Step)

Does the organization limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise??

Required Artifact(s)
  • FIPS-Access-Control

    Provide evidence (policies, actual compliance report, etc.) that the organization requires controls in place to ensure that system access is restricted to authorized uses.

2: AC-1-Step (AC_1_Step)

Does the organization implement security control AC-1, Access Control Policy and Procedures, in accordance with NIST SP800-53R4?

Control: The organization:

a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

  1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Procedures to facilitate the implementation of the access control policy and associated access controls; and

b. Reviews and updates the current:

  1. Access control policy [Assignment: organization-defined frequency]; and
  2. Access control procedures [Assignment: organization-defined frequency].
Required Artifact(s)
  • AC-1

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-1, Access Control Policy and Procedures, in accordance with NIST SP800-53R4.

3: AC-2-Step (AC_2_Step)

Does the organization implement security control AC-2, Account Management, in accordance with NIST SP800-53R4?

Control: The organization:

a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

b. Assigns account managers for information system accounts;

c. Establishes conditions for group and role membership;

d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

g. Monitors the use of information system accounts;

h. Notifies account managers:

  1. When accounts are no longer required;
  2. When users are terminated or transferred; and
  3. When individual information system usage or need-to-know changes;

i. Authorizes access to the information system based on:

  1. A valid access authorization;
  2. Intended system usage; and
  3. Other attributes as required by the organization or associated missions/business functions;

j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and

k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Required Artifact(s)
  • AC-2

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-2, Account Management, in accordance with NIST SP800-53R4.

4: AC-3-Step (AC_3_Step)

Does the organization implement security control AC-3, Access Enforcement, in accordance with NIST SP800-53R4?

Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Required Artifact(s)
  • AC-3

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-3, Access Enforcement, in accordance with NIST SP800-53R4.

5: AC-7-Step (AC_7_Step)

Does the organization implement security control AC-7, Unsuccessful Logon Attempts, in accordance with NIST SP800-53R4?

Control: The information system:

a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

Required Artifact(s)
  • AC-7

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-7, Unsuccessful Logon Attempts, in accordance with NIST SP800-53R4.

6: AC-8-Step (AC_8_Step)

Does the organization implement security control AC-8, System Use Notification, in accordance with NIST SP800-53R4?

Control: The information system:

a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

  1. Users are accessing a U.S. Government information system;
  2. Information system usage may be monitored, recorded, and subject to audit;
  3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
  4. Use of the information system indicates consent to monitoring and recording;

b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

c. For publicly accessible systems:

  1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
  2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
  3. Includes a description of the authorized uses of the system.
Required Artifact(s)
  • AC-8

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-8, System Use Notification, in accordance with NIST SP800-53R4.

7: AC-14-Step (AC_14_Step)

Does the organization implement security control AC-14, Permitted Actions without Identification or Authentication, in accordance with NIST SP800-53R4?

Control: The organization:

a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

Required Artifact(s)
  • AC-14

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-14, Permitted Actions without Identification or Authentication, in accordance with NIST SP800-53R4.

8: AC-17-Step (AC_17_Step)

Does the organization implement security control AC-17, Remote Access, in accordance with NIST SP800-53R4?

Control: The organization:

a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

b. Authorizes remote access to the information system prior to allowing such connections.

Required Artifact(s)
  • AC-17

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-17, Remote Access, in accordance with NIST SP800-53R4.

9: AC-18-Step (AC_18_Step)

Does the organization implement security control AC-18, Wireless Access, in accordance with NIST SP800-53R4?

Control: The organization:

a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

b. Authorizes wireless access to the information system prior to allowing such connections.

Required Artifact(s)
  • AC-18

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-18, Wireless Access, in accordance with NIST SP800-53R4.

10: AC-19-Step (AC_19_Step)

Does the organization implement security control AC-19, Access Control for Mobile Devices, in accordance with NIST SP800-53R4?

Control: The organization:

a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

b. Authorizes the connection of mobile devices to organizational information systems.

Required Artifact(s)
  • AC-19

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-19, Access Control for Mobile Devices, in accordance with NIST SP800-53R4.

11: AC-20-Step (AC_20_Step)

Does the organization implement security control AC-20, Use of External Information Systems, in accordance with NIST SP800-53R4?

Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

a. Access the information system from external information systems; and

b. Process, store, or transmit organization-controlled information using external information systems.

Required Artifact(s)
  • AC-20

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-20, Use of External Information Systems, in accordance with NIST SP800-53R4.

12: AC-22-Step (AC_22_Step)

Does the organization implement security control AC-22, Publicly Accessible Content, in accordance with NIST SP800-53R4?

Control: The organization:

a. Designates individuals authorized to post information onto a publicly accessible information system;

b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.

Required Artifact(s)
  • AC-22

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control AC-22, Publicly Accessible Content, in accordance with NIST SP800-53R4.

Issuance Criteria


yes(ALL)

Sources (2)


FIPS-200
Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, National Institute of Standards and Technology, March 2006.
SP800-53R4
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014)

Terms (54)


Accreditation

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [OMB Circular A-130, Appendix III]

Agency

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: (i) the Government Accountability Office; (ii) the Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities. [44 U.S.C., SEC. 3502]

Authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Authorizing Official

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

Availability

Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]

Certification

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Chief Information Officer

Agency official responsible for: (i) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. [44 U.S.C., Sec. 5125(b)]

Chief Information Security Officer

See Senior Agency Information Security Officer.

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]

Countermeasures

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [CNSS Instruction 4009] Synonymous with security controls and safeguards.

Environment

Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system. [CNSS Instruction 4009]

Executive Agency

An executive department specified in 5 U.S.C., SEC. 101; a military department specified in 5 U.S.C., SEC. 102; an independent establishment as defined in 5 U.S.C., SEC. 104(1); and a wholly-owned Government corporation fully subject to the provisions of 31 U.S.C., CHAPTER 91. [41 U.S.C., SEC. 403]

Federal Agency

See Agency.

Federal Information System

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [40 U.S.C., SEC. 11331]

High-Impact System

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.

Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Information

An instance of an information type. [FIPS Publication 199]

Information Owner

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. [CNSS Instruction 4009]

Information Resources

Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502]

Information Security

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., SEC. 3542]

Information System

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., SEC. 3502]

Information System Owner

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. [CNSS Instruction 4009 Adapted]

Information Technology

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. [40 U.S.C., SEC. 1401]

Information Type

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. [FIPS Publication 199]

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542]

Low-Impact System

An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.

Management Controls

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Media

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Moderate-Impact System

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high.

National Security Information

Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.

National Security System

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency - (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. [44 U.S.C., SEC. 3542]

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Organization

A federal agency or, as appropriate, any of its operational elements.

Potential Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. [FIPS Publication 199]

Records

All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them. [44 U.S.C. SEC. 3301]

Risk

The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Risk Management

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS Instruction 4009 Adapted] Synonymous with security controls and countermeasures.

Sanitization

Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs. [CNSS Instruction 4009 Adapted]

Security Category

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals. [FIPS Publication 199]

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. [FIPS Publication 199]

Security Control Baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

Security Objective

Confidentiality, integrity, or availability. [FIPS Publication 199]

Security Plan

See System Security Plan.

Security Requirements

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Senior Agency Information Security Officer

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer's primary liaison to the agency's authorizing officials, information system owners, and information system security officers. [44 U.S.C., Sec. 3544]

System

See information system.

System Security Plan

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. [NIST Special Publication 800-18, Revision 1]

Technical Controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. [CNSS Instruction 4009 Adapted]

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.

User

Individual or (system) process authorized to access an information system. [CNSS Instruction 4009]

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. [CNSS Instruction 4009 Adapted]