CCI-002164

Enforce organization-defined discretionary access control policy that over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the system, or the system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.

Implementation Guidance

The organization being inspected/assessed documents the discretionary access control policies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system’s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented discretionary access control policies to ensure the organization being inspected/assessed specifies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system’s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.

Compelling Evidence

1.) Signed and dated discretionary access control policies.

The controls below (if any) were marked by NIST as being related to CCI-002164.