Navigate

CCI-002156

CCI-002156 Definition

Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if [AC-03(03)_ODP[01]; mandatory access control policy enforced over the set of covered subjects is defined] and [AC-03(03)_ODP[02]; mandatory access control policy enforced over the set of covered objects is defined] specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced.

Validation Procedures

Examine: [SELECT FROM: Access control policy; mandatory access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. Test: [SELECT FROM: Automated mechanisms implementing mandatory access control].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002156.

Control	Description
AC-3(3)	Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy: (a): Is uniformly enforced across the covered subjects and objects within the system; (b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1): Passing the information to unauthorized subjects or objects; (2): Granting its privileges to other subjects; (3): Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4): Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5): Changing the rules governing access control; and (c): Specifies that [subjects to be explicitly granted privileges are defined;] may explicitly be granted [privileges to be explicitly granted to subjects are defined;] such that they are not limited by any defined subset (or all) of the above constraints.

Control

Description

AC-3(3)

Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy:

(a): Is uniformly enforced across the covered subjects and objects within the system;

(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- (1): Passing the information to unauthorized subjects or objects;
- (2): Granting its privileges to other subjects;
- (3): Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
- (4): Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
- (5): Changing the rules governing access control; and

(c): Specifies that [subjects to be explicitly granted privileges are defined;] may explicitly be granted [privileges to be explicitly granted to subjects are defined;] such that they are not limited by any defined subset (or all) of the above constraints.