Navigate

CCI-000003

CCI-000003 Definition

Review and update the current access control policy on an organization-defined frequency.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed annually reviews and updates the access control policy. The organization must maintain review and update activity as an audit trail. DoD has defined the frequency as annually.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control policy. DoD has defined the frequency as annually.

Compelling Evidence

1.) Signed and dated access control policy. 2.) Documentation/policy that dictates review of documentations/policies at least annually. 3.) Audit trail of reviews.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000003.

Control	Description
AC-1	The organization: a: Develops, documents, and disseminates to [one of ]: 1: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2: Procedures to facilitate the implementation of the access control policy and associated access controls; and b: Reviews and updates the current: 1: Access control policy [one of ]; and 2: Access control procedures [one of ].

Control

Description

AC-1

The organization:

a: Develops, documents, and disseminates to [one of ]:
- 1: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- 2: Procedures to facilitate the implementation of the access control policy and associated access controls; and

b: Reviews and updates the current:
- 1: Access control policy [one of ]; and
- 2: Access control procedures [one of ].