Navigate

PE-2 (1)

PE-2 (1): Access By Position / Role

The organization authorizes physical access to the facility where the information system resides based on position or role.

Supplemental

None

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to PE-2 (1).

Control	Description
AC-2	The organization: AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; AC-2b.: Assigns account managers for information system accounts; AC-2c.: Establishes conditions for group and role membership; AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; AC-2g.: Monitors the use of information system accounts; AC-2h.: Notifies account managers: AC-2h.1.: When accounts are no longer required; AC-2h.2.: When users are terminated or transferred; and AC-2h.3.: When individual information system usage or need-to-know changes; AC-2i.: Authorizes access to the information system based on: AC-2i.1.: A valid access authorization; AC-2i.2.: Intended system usage; and AC-2i.3.: Other attributes as required by the organization or associated missions/business functions; AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Enhancements

The controls below (if any) add on to the requirements of PE-2 (1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to PE-2 (1).

CCI	Definition
CCI-000916	The organization authorizes physical access to the facility where the information system resides based on position or role.