CCIs

Number Definition Status Related
CCI-000001 The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Draft AC-1
CCI-000002 The organization disseminates the access control policy to organization-defined personnel or roles. Draft AC-1
CCI-000003 The organization reviews and updates the access control policy in accordance with organization-defined frequency. Draft AC-1
CCI-000004 The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. Draft AC-1
CCI-000005 The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. Draft AC-1
CCI-000006 The organization reviews and updates the access control procedures in accordance with organization-defined frequency. Draft AC-1
CCI-000007 The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). Draft
CCI-000008 The organization establishes conditions for group membership. Draft AC-2
CCI-000009 The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. Draft
CCI-000010 The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. Draft AC-2
CCI-000011 The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. Draft AC-2
CCI-000012 The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency. Draft AC-2
CCI-000013 The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. Draft
CCI-000014 The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. Draft
CCI-000015 The organization employs automated mechanisms to support the information system account management functions. Draft AC-2 (1)
CCI-000016 The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. Draft AC-2 (2)
CCI-000017 The information system automatically disables inactive accounts after an organization-defined time period. Draft AC-2 (3)
CCI-000018 The information system automatically audits account creation actions. Draft AC-2 (4)
CCI-000019 The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out. Draft AC-2 (5)
CCI-000020 The information system dynamically manages user privileges and associated access authorizations. Draft
CCI-000021 The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions. Draft AC-3 (2)
CCI-000022 The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. Draft
CCI-000023 The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. Draft
CCI-000024 The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states. Draft AC-3 (5)
CCI-000025 The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. Draft
CCI-000026 The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. Draft AC-4 (2)
CCI-000027 The information system enforces dynamic information flow control based on organization-defined policies. Draft AC-4 (3)
CCI-000028 The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. Draft AC-4 (4)
CCI-000029 The information system enforces organization-defined limitations on the embedding of data types within other data types. Draft AC-4 (5)
CCI-000030 The information system enforces information flow control based on organization-defined metadata. Draft AC-4 (6)