CCI-003642

Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change the rules governing access control.

Implementation Guidance

Determine if [AC-03(04)_ODP[01]; discretionary access control policy enforced over the set of covered subjects is defined] and [AC-03(04)_ODP[02]; discretionary access control policy enforced over the set of covered objects is defined] are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.

Validation Procedures

Examine: [SELECT FROM: Access control policy; discretionary access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing discretionary access control policy].

The controls below (if any) were marked by NIST as being related to CCI-003642.