Navigate

CCI-003015

CCI-003015 Definition

The mandatory access control policy specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3015.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3015.

Compelling Evidence

1.) Signed and dated mandatory access control policies 2.) Applicable STIG/SRG checks.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003015.

Control	Description
AC-3 (3)	The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system; AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following; AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects; AC-3 (3)(b)(2): Granting its privileges to other subjects; AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components; AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or AC-3 (3)(b)(5): Changing the rules governing access control; and AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

Control

Description

AC-3 (3)

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:

AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;

AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
- AC-3 (3)(b)(2): Granting its privileges to other subjects;
- AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
- AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
- AC-3 (3)(b)(5): Changing the rules governing access control; and

AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.