Navigate

CCI-002161

CCI-002161 Definition

The organization defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed defines and documents subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints. DoD has determined that the subjects are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure they have been defined. DoD has determined that the subjects are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated documentation which defines subjects not constrained by the mandatory access control policy.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002161.

Control	Description
AC-3 (3)	The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system; AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects; AC-3 (3)(b)(2): Granting its privileges to other subjects; AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components; AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or AC-3 (3)(b)(5): Changing the rules governing access control; and AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

Control

Description

AC-3 (3)

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:

AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;

AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
- AC-3 (3)(b)(2): Granting its privileges to other subjects;
- AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
- AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
- AC-3 (3)(b)(5): Changing the rules governing access control; and

AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.