πΌ AC-1 Policy and Procedures
- Contextual name: πΌ AC-1 Policy and Procedures
- ID:
/frameworks/nist-sp-800-53-r5/ac/01
- Located in: πΌ AC Access Control
Descriptionβ
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
- [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
- Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Similarβ
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
| πΌ FedRAMP High Security Controls β πΌ AC-1 Policy and Procedures (L)(M)(H) | | | | |
| πΌ FedRAMP Low Security Controls β πΌ AC-1 Policy and Procedures (L)(M)(H) | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | | | 2 | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | | | 7 | |
| πΌ NIST CSF v2.0 β πΌ ID.IM-01: Improvements are identified from evaluations | | | 10 | |
| πΌ NIST CSF v2.0 β πΌ ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | | | 23 | |
| πΌ NIST CSF v2.0 β πΌ ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities | | | 24 | |
| πΌ NIST CSF v2.0 β πΌ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization | | | 23 | |
| πΌ NIST CSF v2.0 β πΌ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | | | 58 | |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|