Navigate

CCI-000010

CCI-000010 Definition

The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests. The organization being inspected/assessed maintains an audit trail of approvals. DoD has defined the personnel or roles as the ISSM or ISSO.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of approvals to ensure that the organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests. DoD has defined the personnel or roles as the ISSM or ISSO.

Compelling Evidence

1.) Signed and dated documentation that describes how the site implements a process for the ISSM or ISSO to approve information system account creation requests. 2.) Audit trail for account creation approvals.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000010.

Control	Description
AC-2	The organization: AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; AC-2b.: Assigns account managers for information system accounts; AC-2c.: Establishes conditions for group and role membership; AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; AC-2g.: Monitors the use of information system accounts; AC-2h.: Notifies account managers: AC-2h.1.: When accounts are no longer required; AC-2h.2.: When users are terminated or transferred; and AC-2h.3.: When individual information system usage or need-to-know changes; AC-2i.: Authorizes access to the information system based on: AC-2i.1.: A valid access authorization; AC-2i.2.: Intended system usage; and AC-2i.3.: Other attributes as required by the organization or associated missions/business functions; AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Control

Description

AC-2

The organization:

AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

AC-2b.: Assigns account managers for information system accounts;

AC-2c.: Establishes conditions for group and role membership;

AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

AC-2g.: Monitors the use of information system accounts;

AC-2h.: Notifies account managers:
- AC-2h.1.: When accounts are no longer required;
- AC-2h.2.: When users are terminated or transferred; and
- AC-2h.3.: When individual information system usage or need-to-know changes;

AC-2i.: Authorizes access to the information system based on:
- AC-2i.1.: A valid access authorization;
- AC-2i.2.: Intended system usage; and
- AC-2i.3.: Other attributes as required by the organization or associated missions/business functions;

AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and

AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.