Navigate

CCI-002157

CCI-002157 Definition

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2157.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2157.

Compelling Evidence

1.) Signed and dated mandatory access control policies which specify that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components. 2.) Applicable STIG/SRG checks.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002157.

Control	Description
AC-3 (3)	The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system; AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects; AC-3 (3)(b)(2): Granting its privileges to other subjects; AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components; AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or AC-3 (3)(b)(5): Changing the rules governing access control; and AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

Control

Description

AC-3 (3)

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:

AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;

AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
- AC-3 (3)(b)(2): Granting its privileges to other subjects;
- AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
- AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
- AC-3 (3)(b)(5): Changing the rules governing access control; and

AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.