800-53|AC-1

Title

ACCESS CONTROL POLICY AND PROCEDURES

Description

The organization:

Supplemental

This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

Reference Item Details

Related: PM-9

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure a customer created Customer Master Key (CMK) is created for the Web-tieramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.1.2 Ensure only trusted users are allowed to control Docker daemonUnixCIS Docker v1.7.0 L1 Docker - Linux
1.1.5 Ensure 'Password Policy' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2 Ensure a customer created Customer Master Key (CMK) is created for the App-tieramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.3 Ensure a customer created Customer Master Key (CMK) is created for the Database-Tieramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.4.1.1 Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'CiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
2.1.1 Client certificate authentication should not be used for usersGCPCIS Google Kubernetes Engine (GKE) v1.6.1 L1
2.2.3 Ensure that an exclusionary Device code flow policy is consideredmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
2.6.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.6.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.7 Ensure that a unique Certificate Authority is used for etcdUnixCIS Kubernetes v1.10.0 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcdUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcdUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master
2.7 Ensure that a unique Certificate Authority is used for etcdUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L2 Master
2.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
2.12 Ensure 'User consent for applications' is set to 'Do not allow user consent'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
2.12.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
2.12.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L1
2.12.1 Ensure Guest Account Is DisabledUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L1
2.14 Ensure containers are restricted from acquiring new privilegesUnixCIS Docker v1.7.0 L1 Docker - Linux
2.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
2.25 Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
3.1.2 Service account token authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.1.3 Bootstrap token authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Servicesmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.12 (L1) Host must lock an account after a specified number of failed login attemptsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
4.3 (L1) Ensure the maximum failed login attempts is set to 5VMwareCIS VMware ESXi 7.0 v1.4.0 L1
4.3 Ensure the maximum failed login attempts is set to 5VMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
4.4 Ensure that Storage Account Access Keys are Periodically Regeneratedmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
4.4.2.1.2 Ensure password failed attempts lockout is configuredUnixCIS Amazon Linux 2 v3.0.0 L1