Navigate

CCI-002157

CCI-002157 Definition

Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the system, or system components.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if [AC-03(03)_ODP[01]; mandatory access control policy enforced over the set of covered subjects is defined] and [AC-03(03)_ODP[02]; mandatory access control policy enforced over the set of covered objects is defined] specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced.

Validation Procedures

Examine: [SELECT FROM: Access control policy; mandatory access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. Test: [SELECT FROM: Automated mechanisms implementing mandatory access control].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002157.

Control	Description
AC-3(3)	Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy: (a): Is uniformly enforced across the covered subjects and objects within the system; (b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1): Passing the information to unauthorized subjects or objects; (2): Granting its privileges to other subjects; (3): Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4): Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5): Changing the rules governing access control; and (c): Specifies that [subjects to be explicitly granted privileges are defined;] may explicitly be granted [privileges to be explicitly granted to subjects are defined;] such that they are not limited by any defined subset (or all) of the above constraints.

Control

Description

AC-3(3)

Enforce [one of ] over the set of covered subjects and objects specified in the policy, and where the policy:

(a): Is uniformly enforced across the covered subjects and objects within the system;

(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- (1): Passing the information to unauthorized subjects or objects;
- (2): Granting its privileges to other subjects;
- (3): Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
- (4): Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
- (5): Changing the rules governing access control; and

(c): Specifies that [subjects to be explicitly granted privileges are defined;] may explicitly be granted [privileges to be explicitly granted to subjects are defined;] such that they are not limited by any defined subset (or all) of the above constraints.