Navigate

AC-2 (12)

AC-2 (12): Account Monitoring / Atypical Usage

The organization:

AC-2 (12)(a): Monitors information system accounts for [Assignment: organization-defined atypical usage]; and

AC-2 (12)(b): Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].

Supplemental

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-2 (12).

Control	Description
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7f.: Response actions to address results of the analysis of security-related information; and CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Control

Description

CA-7

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored;

CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;

CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring;

CA-7f.: Response actions to address results of the analysis of security-related information; and

CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Enhancements

The controls below (if any) add on to the requirements of AC-2 (12).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-2 (12).

CCI	Definition
CCI-002146	The organization defines atypical usage for which the information system accounts are to be monitored.
CCI-002147	The organization monitors information system accounts for organization-defined atypical use.
CCI-002148	The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported.
CCI-002149	The organization reports atypical usage of information system accounts to organization-defined personnel or roles.