Navigate

CCI-003014

CCI-003014 Definition

The information system enforces organization-defined mandatory access control policies over all subjects and objects.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3014.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3014.

Compelling Evidence

1.) Signed and dated documentation which defines a process for enforcing mandatory access control policies. 2.) Applicable STIG/SRG checks.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003014.

Control	Description
AC-3 (3)	The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system; AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects; AC-3 (3)(b)(2): Granting its privileges to other subjects; AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components; AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or AC-3 (3)(b)(5): Changing the rules governing access control; and AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

Control

Description

AC-3 (3)

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:

AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;

AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
- AC-3 (3)(b)(2): Granting its privileges to other subjects;
- AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
- AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
- AC-3 (3)(b)(5): Changing the rules governing access control; and

AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.