Description
The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency, at least annually].
Supplemental Guidance
Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. Account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users information system usage or need-to-know/need-to-share changes.
Changes from Rev 4
Removes parameter for system account types Adds prerequisite and criteria parameter for group and role membership Adds access authorizations parameter for attributes (as required) for each account Adds parameters to notify account managers and organization-defined personnel or roles within time-period when accounts are no longer required; when users are terminated or transferred; and when system usage or need-to-know changes for an individual Adds control text with a new parameter requiring authorize access to the system based on a valid access authorization, intended system usage; and attributes (as required) Adds control text requiring alignment of account management processes with personnel termination and transfer processes Incorporates withdrawn control AC-02(10)
MITRE ATT&CK Techniques (220)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Initial Access 8 Execution 29 Persistence 61 Privilege Escalation 53 Defense Evasion 80 Credential Access 43 Discovery 7 Lateral Movement 17 Collection 11 Exfiltration 9 Impact 4
Show all 220 techniques grouped by tactic
Initial Access
Execution
T1047 Windows Management Instrumentation T1053 Scheduled Task/Job T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1559 Inter-Process Communication T1569 System Services T1609 Container Administration Command T1610 Deploy Container T1648 Serverless Execution T1651 Cloud Administration Command T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1059.001 PowerShell T1059.002 AppleScript T1059.003 Windows Command Shell T1059.004 Unix Shell T1059.005 Visual Basic T1059.006 Python T1059.007 JavaScript T1059.008 Network Device CLI T1059.009 Cloud API T1059.010 AutoHotKey & AutoIT T1059.011 Lua T1559.001 Component Object Model T1569.001 Launchctl T1569.002 Service Execution
Persistence
T1053 Scheduled Task/Job T1078 Valid Accounts T1098 Account Manipulation T1136 Create Account T1197 BITS Jobs T1505 Server Software Component T1525 Implant Internal Image T1542 Pre-OS Boot T1543 Create or Modify System Process T1546 Event Triggered Execution T1556 Modify Authentication Process T1574 Hijack Execution Flow T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.005 Device Registration T1098.006 Additional Container Cluster Roles T1098.007 Additional Local or Domain Groups T1136.001 Local Account T1136.002 Domain Account T1136.003 Cloud Account T1505.002 Transport Agent T1505.003 Web Shell T1505.005 Terminal Services DLL T1542.001 System Firmware T1542.003 Bootkit T1542.005 TFTP Boot T1543.001 Launch Agent T1543.002 Systemd Service T1543.003 Windows Service T1543.004 Launch Daemon T1543.005 Container Service T1546.003 Windows Management Instrumentation Event Subscription T1547.004 Winlogon Helper DLL T1547.006 Kernel Modules and Extensions T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.005 Reversible Encryption T1556.006 Multi-Factor Authentication T1556.007 Hybrid Identity T1556.009 Conditional Access Policies T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.012 COR_PROFILER
Privilege Escalation
T1053 Scheduled Task/Job T1055 Process Injection T1068 Exploitation for Privilege Escalation T1078 Valid Accounts T1098 Account Manipulation T1134 Access Token Manipulation T1484 Domain or Tenant Policy Modification T1543 Create or Modify System Process T1546 Event Triggered Execution T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1611 Escape to Host T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1055.008 Ptrace System Calls T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.005 Device Registration T1098.006 Additional Container Cluster Roles T1098.007 Additional Local or Domain Groups T1134.001 Token Impersonation/Theft T1134.002 Create Process with Token T1134.003 Make and Impersonate Token T1543.001 Launch Agent T1543.002 Systemd Service T1543.003 Windows Service T1543.004 Launch Daemon T1543.005 Container Service T1546.003 Windows Management Instrumentation Event Subscription T1547.004 Winlogon Helper DLL T1547.006 Kernel Modules and Extensions T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.005 Temporary Elevated Cloud Access T1548.006 TCC Manipulation T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.012 COR_PROFILER
Defense Evasion
T1036 Masquerading T1055 Process Injection T1070 Indicator Removal T1078 Valid Accounts T1134 Access Token Manipulation T1197 BITS Jobs T1218 System Binary Proxy Execution T1222 File and Directory Permissions Modification T1484 Domain or Tenant Policy Modification T1542 Pre-OS Boot T1548 Abuse Elevation Control Mechanism T1550 Use Alternate Authentication Material T1553 Subvert Trust Controls T1556 Modify Authentication Process T1562 Impair Defenses T1574 Hijack Execution Flow T1578 Modify Cloud Compute Infrastructure T1599 Network Boundary Bridging T1601 Modify System Image T1610 Deploy Container T1612 Build Image on Host T1036.003 Rename System Utilities T1036.005 Match Legitimate Name or Location T1036.010 Masquerade Account Name T1055.008 Ptrace System Calls T1070.001 Clear Windows Event Logs T1070.002 Clear Linux or Mac System Logs T1070.003 Clear Command History T1070.007 Clear Network Connection History and Configurations T1070.008 Clear Mailbox Data T1070.009 Clear Persistence T1078.001 Default Accounts T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1134.001 Token Impersonation/Theft T1134.002 Create Process with Token T1134.003 Make and Impersonate Token T1218.007 Msiexec T1218.015 Electron Applications T1222.001 Windows File and Directory Permissions Modification T1222.002 Linux and Mac File and Directory Permissions Modification T1542.001 System Firmware T1542.003 Bootkit T1542.005 TFTP Boot T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.005 Temporary Elevated Cloud Access T1548.006 TCC Manipulation T1550.002 Pass the Hash T1550.003 Pass the Ticket T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.005 Reversible Encryption T1556.006 Multi-Factor Authentication T1556.007 Hybrid Identity T1556.009 Conditional Access Policies T1562.001 Disable or Modify Tools T1562.002 Disable Windows Event Logging T1562.004 Disable or Modify System Firewall T1562.006 Indicator Blocking T1562.007 Disable or Modify Cloud Firewall T1562.008 Disable or Modify Cloud Logs T1562.009 Safe Mode Boot T1562.012 Disable or Modify Linux Audit System T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1574.012 COR_PROFILER T1578.001 Create Snapshot T1578.002 Create Cloud Instance T1578.003 Delete Cloud Instance T1578.005 Modify Cloud Compute Configurations T1599.001 Network Address Translation Traversal T1601.001 Patch System Image T1601.002 Downgrade System Image
Credential Access
T1003 OS Credential Dumping T1110 Brute Force T1212 Exploitation for Credential Access T1528 Steal Application Access Token T1552 Unsecured Credentials T1556 Modify Authentication Process T1558 Steal or Forge Kerberos Tickets T1606 Forge Web Credentials T1621 Multi-Factor Authentication Request Generation T1003.001 LSASS Memory T1003.002 Security Account Manager T1003.003 NTDS T1003.004 LSA Secrets T1003.005 Cached Domain Credentials T1003.006 DCSync T1003.007 Proc Filesystem T1003.008 /etc/passwd and /etc/shadow T1056.003 Web Portal Capture T1110.001 Password Guessing T1110.002 Password Cracking T1110.003 Password Spraying T1110.004 Credential Stuffing T1552.001 Credentials In Files T1552.002 Credentials in Registry T1552.004 Private Keys T1552.006 Group Policy Preferences T1552.007 Container API T1555.005 Password Managers T1555.006 Cloud Secrets Management Stores T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.005 Reversible Encryption T1556.006 Multi-Factor Authentication T1556.007 Hybrid Identity T1556.009 Conditional Access Policies T1558.001 Golden Ticket T1558.002 Silver Ticket T1558.003 Kerberoasting T1558.004 AS-REP Roasting T1558.005 Ccache Files T1606.001 Web Cookies T1606.002 SAML Tokens
Discovery
Lateral Movement
T1021 Remote Services T1072 Software Deployment Tools T1210 Exploitation of Remote Services T1550 Use Alternate Authentication Material T1563 Remote Service Session Hijacking T1021.001 Remote Desktop Protocol T1021.002 SMB/Windows Admin Shares T1021.003 Distributed Component Object Model T1021.004 SSH T1021.005 VNC T1021.006 Windows Remote Management T1021.007 Cloud Services T1021.008 Direct Cloud VM Connections T1550.002 Pass the Hash T1550.003 Pass the Ticket T1563.001 SSH Hijacking T1563.002 RDP Hijacking
Collection
T1005 Data from Local System T1025 Data from Removable Media T1185 Browser Session Hijacking T1213 Data from Information Repositories T1530 Data from Cloud Storage T1056.003 Web Portal Capture T1213.001 Confluence T1213.002 Sharepoint T1213.003 Code Repositories T1213.004 Customer Relationship Management Software T1213.005 Messaging Applications
Exfiltration
T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1052 Exfiltration Over Physical Medium T1537 Transfer Data to Cloud Account T1567 Exfiltration Over Web Service T1020.001 Traffic Duplication T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1052.001 Exfiltration over USB
Compliance Mappings
ISO 27001:2022
A.5.15A.5.18
ISO 27002:2022
5.155.188.2
COBIT 2019
DSS05
CIS Controls v8
CIS 12.5CIS 4.7CIS 5CIS 5.1CIS 5.3CIS 5.5CIS 5.6CIS 6CIS 6.1CIS 6.2CIS 6.6CIS 6.7CIS 6.8
NIST CSF 2.0
DE.CM-03PR.AA-05
SOC 2 TSC
CC6.1CC6.6CC6.6-POF2
PCI DSS v4.0.1
2.2.12.2.27.28.28.6
CSA CCM v4
IAM-03IAM-05IAM-06IAM-07IAM-08IAM-10IAM-11IAM-13LOG-12
CSA AICM v1
IAM-03IAM-05IAM-06IAM-07IAM-08IAM-10IAM-11IAM-13IAM-17IAM-18LOG-12
FINOS CCC
CCC-C11
ISO 42001:2023
A.3.2
IEC 62443
3-3 SR 1.3
NIS2 Directive
Art. 21(2)(i)
MAS TRM
9
APRA CPS 234
Para 22-23
ASD Essential Eight
E8-5E8-5 ML1E8-5 ML2E8-5 ML3
BSI IT-Grundschutz
OPS.1.1.2ORP.4
ANSSI
Hygiene.11Hygiene.13Hygiene.32Hygiene.6Hygiene.7SecNumCloud.10.2
FINMA Circular 2023/1
IV.B.d(59)IV.B.d(60)IV.C(61)
OSFI B-13
B-13.3.2
EU GDPR
Art.25(2)Art.32(1)(b)Art.32(4)Art.5(1)(f)
EU DORA
Art.9(4)(c)Art.9(4)(d)
BIO2
5.155.188.2
RBI CSF
Annex1.8ITGRCA.19
FISC Security Guidelines
FISC.T2
LGPD + BCB 4893
BCB.Art.3BCB.PIXLGPD.Art.46
HKMA TM-E-1
TME1.8.1TME1.8.2
MLPS 2.0
8.1.4.28.1.7.2
DNB Good Practice
DNB.17.2DNB.8.5
EU CRA
CRA.I.2d
SWIFT CSCF
SWIFT.1.2SWIFT.2.11ASWIFT.5.1
SAMA CSF
3.1
NCA ECC
2-2
UAE IA
T9
CBB TM
TM-6
Qatar NIA
AC
CBUAE
CR-4
CBE CSF
CD-1CTO-1
SA JS2
JS2-7.1
CBN CSF
Part3.2
BoG CISD
CISD-IXCISD-VIII
POPIA
s19
BoM CTRM
3.3
IOSCO Cyber Resilience
PROT-1
BCBS 239
Principle 11
CPMI-IOSCO PFMI
CG.PRPFMI.P17
FFIEC IS
II.C.15II.C.7II.C.7(b)
NYDFS 500
500.7
HIPAA Security Rule
§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)§164.308(a)(3)(ii)(C)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.312(a)(2)(i)§164.312(a)(2)(ii)
ECB CROE
CROE.2.3.1
EBA ICT Guidelines
3.4.2
SEBI CSCRF
PR.AA
BOT Cyber Resilience
Ch2.2Ch8.2
CMMC 2.0
AC
NERC CIP
CIP-004-7CIP-007-6
10 CFR 73.54
RG5.71-A-AC
TSA Pipeline SD
SD-2 Sec B
IEEE 1686-2022
5.1
FERC CIP Orders
Order 850
DOE C2M2 v2.1
ACCESS
API 1164
Sec 6
AWIA
AWWA Sec 3
IAEA NSS 17-T
Sec 5.2Sec 5.3
FIPS 140-3
FIPS 140-3 §7.4
Common Criteria
CC Part 2 — FMT
ISAE 3402
Clause 4
Solvency II
EIOPA-ICT-4.4
Lloyd's Minimum Standards
MS8.3
NAIC Insurance Data Security
4-access4B
PRA SS1/23
P-IT.1P2.4
FCA SYSC 13
SYSC 13.7.3
HITRUST CSF v11
01.a02.c
FDA 21 CFR Part 11
§11.10(d)§11.10(g)§11.100(a)§11.200(a)(2)§11.300(a)§11.300(b)§11.300(c)
FDA Cybersecurity Guidance
SA-1
ISO 27799
7.39.19.29.3
NHS DSPT
NDG-4.1NDG-4.2
CCSS v9.0
1.04.11.04.21.06.2
MiCA
Art.67(1)Art.86(1)
Basel SCO60
SCO60.55SCO60.62
BSSC Standards
NOS-05KMS-06GSP-11
SEC Custody (Digital Assets)
SEC-CD-02SEC-CD-05SEC-CD-16
ISO 17799 (legacy)
6.2.26.2.38.3.311.2.111.2.211.2.411.7.2
COBIT 4.1 (legacy)
DS5.4