Navigate

CCI-000003

CCI-000003 Definition

The organization reviews and updates the access control policy in accordance with organization-defined frequency.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed annually reviews and updates the access control policy. The organization must maintain review and update activity as an audit trail. DoD has defined the frequency as annually.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control policy. DoD has defined the frequency as annually.

Compelling Evidence

1.) Signed and dated access control policy. 2.) Documentation/policy that dictates review of documentations/policies at least annually. 3.) Audit trail of reviews.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000003.

Control	Description
AC-1	The organization: AC-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: AC-1a.1.: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AC-1a.2.: Procedures to facilitate the implementation of the access control policy and associated access controls; and AC-1b.: Reviews and updates the current: AC-1b.1.: Access control policy [Assignment: organization-defined frequency]; and AC-1b.2.: Access control procedures [Assignment: organization-defined frequency].

Control

Description

AC-1

The organization:

AC-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- AC-1a.1.: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- AC-1a.2.: Procedures to facilitate the implementation of the access control policy and associated access controls; and

AC-1b.: Reviews and updates the current:
- AC-1b.1.: Access control policy [Assignment: organization-defined frequency]; and
- AC-1b.2.: Access control procedures [Assignment: organization-defined frequency].