AC-3 Control Enhancements:
Control: The information system enforces approved authorisations for logical access to information and system resources in accordance with applicable access control policies.
AC-3 (1) Access Enforcement - Restricted access to privileged functions
[Withdrawn: Incorporated into AC-6].
AC-3 (2) Access Enforcement - Dual Authorisation
The information system enforces dual authorisation for [Assignment: organisation-defined privileged commands and/or other organisation-defined actions].
AC-3 (3) Access Enforcement - Mandatory Access Control
The information system enforces [Assignment: organisation-defined mandatory access control policy] over all subjects and objects where the policy:
AC-3 (4) Access Enforcement - Discretionary Access Control
The information system enforces [Assignment: organisation-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
AC-3 (5) Access Enforcement - Security relevant information
The information system prevents access to [Assignment: organisation-defined security-relevant information] except during secure, non-operable system states.
AC-3 (7) Access Enforcement - Role based access control
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organisation-defined roles and users authorised to assume such roles].
AC-3 (8) Access Enforcement - Revocation of access authorisations
The information system enforces the revocation of access authorisations resulting from changes to the security attributes of subjects and objects based on [Assignment: organisation-defined rules governing the timing of revocations of access authorisations].
AC-3 (9) Access Enforcement - Controlled Release
The information system does not release information outside of the established system boundary
unless:
AC-3 (10) Access Enforcement - Audited override of access control mechanisms
The organisation employs an audited override of automated access control mechanisms under
[Assignment: organisation-defined conditions].