CCI-002223

Authorize access for organization-defined individuals or roles to organization-defined security-relevant information.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to explicitly authorize access to all security-relevant information not publicly available. Explicit authorization can be in the form of an acceptable use policy signed by the user at the time of access being granted. DoD has defined the security-relevant information as all security-relevant information not publicly available.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed explicitly authorizes access to all security-relevant information not publicly available. DoD has defined the security-relevant information as all security-relevant information not publicly available.

Compelling Evidence

1.) Signed and dated access control policy 2.) Signed and dated system security plan (SSP) 3.) Signed and dated documentation that defines the process to explicitly authorize access to all security-relevant information not publicly available

The controls below (if any) were marked by NIST as being related to CCI-002223.