CCI-002354

Defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.

Implementation Guidance

Determine if: - access control decisions are enforced based on [AC-24(02)_ODP[01]; security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected)] that do not include the identity of the user or process acting on behalf of the user (if selected). - access control decisions are enforced based on [AC-24(02)_ODP[02]; privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected)] that do not include the identity of the user or process acting on behalf of the user (if selected).

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing access enforcement functions].

The controls below (if any) were marked by NIST as being related to CCI-002354.