Navigate

AC-17(4)

AC-17(4): Privileged Commands and Access

(a): Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [one of ] ; and

(b): Document the rationale for remote access in the security plan for the system.

Supplemental

Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-17(4).

Control	Description
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].
SC-13	a: Determine the [cryptographic uses are defined;] ; and b: Implement the following types of cryptography required for each specified cryptographic use: [types of cryptography for each specified cryptographic use are defined;].

Enhancements

The controls below (if any) add on to the requirements of AC-17(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-17(4).

CCI	Definition
CCI-000070	Authorize the execution of privileged commands via remote access only in a format that provides assessable evidence for organization-defined needs.
CCI-002316	Authorize access to security-relevant information via remote access only in a format that provides assessable evidence for organization-defined needs.
CCI-002317	Defines the needs for when the execution of privileged commands via remote access is to be authorized.
CCI-002318	Defines the needs for when access to security-relevant information via remote access is to be authorized.
CCI-002319	Document the rationale for authorization of the execution of privilege commands via remote access.
CCI-002320	Document the rationale for authorization of access to security-relevant information via remote access.