Access Control: SP 800-171 Security Family 3.1

Access Control: SP 800-171 Security Family 3.1

Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:
      • use information,
      • use information processing services, and
      • enter company facilities. 

System-based access controls are called logical access controls. Logical access controls prescribe not only who or what (in the case of a process) is permitted to have access to a system resource, but also the type of access that is permitted. These controls may be built into the operating system, incorporated into applications programs or major utilities (e.g., database management systems, communications systems), or implemented through add-on security packages. Logical access controls may be implemented internally to the system being protected or in external devices. Examples of access control security requirements include account management, separation of duties, least privilege, session lock, information flow enforcement, and session termination.

Companies should limit:
      • system access to authorized users,
      • processes acting on behalf of authorized users,
      • devices, including other systems, and
      • the types of transactions and functions that authorized users are permitted to exercise.

The requirements for using – and prohibitions against the use of – various system resources can vary from one system to another. For example, some information must be accessible to al l users, some may be needed by several groups or departments, and some may only be accessed by a few individuals within the company. While users must have access to specific information needed to perform their jobs, denial of access to non-job-related information may be required. It may also be important to control the kind of access that is permitted (e.g., the ability for the average user to execute, but not change, system programs). These types of access restrictions enforce policy and help ensure that unauthorized actions are not taken.

Controlling physical access to company facilities i s also important. It provides for the protection of employees, plant equipment, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage to the company. This includes burglary, theft, vandalism, and terrorism.

    • Related Articles

    • Personnel Security: SP 800-171 Security Family 3.9

      Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...

    • Security Assessment: SP 800-171 Security Family 3.12

      A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...

    • CMMC AC.2.013 - Control Remote Access

      Requirement text: AC.2.013: Monitor and control remote access sessions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...