Navigate

AC-3 (5)

AC-3 (5): Security-Relevant Information

The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

Supplemental

Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shut down).

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer)

Related Controls

The controls below (if any) were marked by NIST as being related to AC-3 (5).

Control	Description
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control

Description

CM-3

The organization:

CM-3a.: Determines the types of changes to the information system that are configuration-controlled;

CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3c.: Documents configuration change decisions associated with the information system;

CM-3d.: Implements approved configuration-controlled changes to the information system;

CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Enhancements

The controls below (if any) add on to the requirements of AC-3 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-3 (5).

CCI	Definition
CCI-000024	The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.
CCI-001411	The organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states.