← Controls / AC

AC-03 Access Enforcement

Access Control

Low Moderate High

Description

The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.

Supplemental Guidance

Access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. Related security control: SC-13.

MITRE ATT&CK Techniques (281)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 10 Execution 29 Persistence 76 Privilege Escalation 64 Defense Evasion 91 Credential Access 48 Discovery 7 Lateral Movement 20 Collection 21 Command & Control 8 Exfiltration 10 Impact 23
Show all 281 techniques grouped by tactic

Persistence

T1037 T1053 T1078 T1098 T1133 T1136 T1197 T1205 T1505 T1525 T1542 T1543 T1546 T1556 T1574 T1037.002 T1037.003 T1037.004 T1037.005 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.005 T1098.006 T1098.007 T1136.001 T1136.002 T1136.003 T1205.001 T1505.002 T1505.003 T1505.004 T1505.005 T1542.001 T1542.003 T1542.004 T1542.005 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1546.004 T1546.013 T1547.003 T1547.004 T1547.006 T1547.007 T1547.009 T1547.012 T1547.013 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.008 T1556.009 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012 T1574.014

Privilege Escalation

T1037 T1053 T1055 T1078 T1098 T1134 T1484 T1543 T1546 T1548 T1574 T1611 T1037.002 T1037.003 T1037.004 T1037.005 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1055.008 T1055.009 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.005 T1098.006 T1098.007 T1134.001 T1134.002 T1134.003 T1134.005 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1546.004 T1546.013 T1547.003 T1547.004 T1547.006 T1547.007 T1547.009 T1547.012 T1547.013 T1548.002 T1548.003 T1548.005 T1548.006 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012 T1574.014

Defense Evasion

T1027 T1036 T1055 T1070 T1078 T1134 T1197 T1205 T1218 T1222 T1484 T1542 T1548 T1550 T1553 T1556 T1562 T1574 T1578 T1599 T1601 T1610 T1612 T1622 T1647 T1036.003 T1036.005 T1036.010 T1055.008 T1055.009 T1070.001 T1070.002 T1070.003 T1070.007 T1070.008 T1070.009 T1078.002 T1078.003 T1078.004 T1134.001 T1134.002 T1134.003 T1134.005 T1205.001 T1218.002 T1218.007 T1218.012 T1222.001 T1222.002 T1542.001 T1542.003 T1542.004 T1542.005 T1548.002 T1548.003 T1548.005 T1548.006 T1550.002 T1550.003 T1553.003 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.008 T1556.009 T1562.001 T1562.002 T1562.004 T1562.006 T1562.007 T1562.008 T1562.009 T1562.012 T1564.004 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012 T1574.014 T1578.001 T1578.002 T1578.003 T1578.005 T1599.001 T1601.001 T1601.002

Credential Access

T1003 T1110 T1187 T1528 T1539 T1552 T1555 T1556 T1557 T1558 T1606 T1003.001 T1003.002 T1003.003 T1003.004 T1003.005 T1003.006 T1003.007 T1003.008 T1056.003 T1110.001 T1110.002 T1110.003 T1110.004 T1552.002 T1552.005 T1552.007 T1555.002 T1555.005 T1555.006 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.008 T1556.009 T1557.001 T1557.002 T1557.003 T1557.004 T1558.001 T1558.002 T1558.003 T1558.004 T1558.005 T1606.001 T1606.002

Compliance Mappings

ISO 27001:2022

A.5.15A.8.3A.8.4

ISO 27002:2022

5.158.38.4

COBIT 2019

DSS05DSS06

CIS Controls v8

CIS 13.9CIS 3.3CIS 6CIS 6.7CIS 6.8

NIST CSF 2.0

PR.AA-05PR.DS-01PR.DS-10

SOC 2 TSC

CC6.1CC6.6CC6.6-POF2

PCI DSS v4.0.1

1.2.83.47.27.3

CSA CCM v4

DSP-17IAM-16

CSA AICM v1

DSP-17IAM-16MDS-07

FINOS CCC

CCC-C05CCC-C11

ISO 42001:2023

A.9.2A.9.4

IEC 62443

3-3 SR 2.13-3 SR 4.1

NIS2 Directive

Art. 21(2)(i)

MAS TRM

159

APRA CPS 234

Para 22-23

ASD Essential Eight

E8-8 ML3

BSI IT-Grundschutz

ORP.4SYS.1.1SYS.2.1

ANSSI

Hygiene.14Hygiene.15Hygiene.17SecNumCloud.10.3

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.25(2)Art.32(1)(b)Art.5(1)(f)

EU DORA

Art.9(4)(c)

BIO2

5.158.38.4

RBI CSF

Annex1.8ITGRCA.19

FISC Security Guidelines

FISC.T11FISC.T2FISC.T5

LGPD + BCB 4893

BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.11LGPD.Art.46

HKMA TM-E-1

TME1.10.3TME1.11.2TME1.8.1

MLPS 2.0

8.1.3.28.1.4.28.28.48.5

DNB Good Practice

DNB.12.3DNB.17.2DNB.20.1

EU CRA

CRA.I.2d

SWIFT CSCF

SWIFT.2.11ASWIFT.2.9SWIFT.5.1SWIFT.5.4SWIFT.6.3

SAMA CSF

3.1

NCA ECC

2-22-7

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1CTO-5

SA JS2

JS2-7.1

CBN CSF

Part3.2Part5.2

BoG CISD

CISD-IXCISD-VIII

POPIA

s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

BCBS 239

Principle 11

CPMI-IOSCO PFMI

CG.PRPFMI.P17

FFIEC IS

II.C.13(a)II.C.15II.C.15(a)II.C.15(b)II.C.18II.C.7(b)

NYDFS 500

500.7

HIPAA Security Rule

§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.314(b)(2)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

AC

NERC CIP

CIP-007-6CIP-011-3

10 CFR 73.54

73.54(c)(1)RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.15.9

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 5.3

CBEST

CBEST.9

TIBER-EU

TIBER.CONF

PCI HSM

48

Common Criteria

CC Part 2 — FDP

ISAE 3402

Clause 4

Solvency II

DR.266-DataSecEIOPA-ICT-4.4

Lloyd's Minimum Standards

MS1.1MS2.1MS5.1MS6.1MS8.3

NAIC Insurance Data Security

4-access4B

PRA SS1/23

P-IT.1P3.3P3.6

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.a01.c13.e

FDA 21 CFR Part 11

§11.10(d)§11.10(g)

FDA Cybersecurity Guidance

SA-1SA-4

ISO 27799

9.19.5H.4

NHS DSPT

NDG-1.1NDG-4.1

OWASP MASVS v2.1

MASVS-STORAGE-1MASVS-AUTH-1MASVS-AUTH-3MASVS-PLATFORM-1MASVS-PRIVACY-1MASVS-PRIVACY-4

CCSS v9.0

1.03.51.05.1

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.62(9)Art.97(1)

Basel SCO60

SCO60.61SCO60.62SCO60.66

BSSC Standards

NOS-05TIS-07KMS-06KMS-09GSP-11

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-05

ISO 17799 (legacy)

11.2.411.4.5

COBIT 4.1 (legacy)

PO2.3AI2.4DS11.6