N
|
controlAC-2

Account Management (AC-2)

Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require [organization-defined] for group and role membership; Specify: Require approvals by [organization-defined] for requests to create accounts; Create, enable, modify, disable, and remove accounts in accordance with [organization-defined]; Monitor the use of accounts; Notify account managers and [organization-defined] within: Authorize access to the system based o

Security Baselines

LOWMODERATEHIGH
access-controlauthorizationleast-privilege

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports52

These related controls work together — a change to one may affect the others.

Mitigates4

This control helps defend against or reduce the risk of the linked threat technique.

Enhances13

These enhancements add specific capabilities or refinements to the base control.

Related Controls(40)

AC-3Access Enforcement (AC-3)
LMH
AC-5Separation of Duties (AC-5)
MH
AC-6Least Privilege (AC-6)
MH
AC-17Remote Access (AC-17)
LMH
AC-18Wireless Access (AC-18)
LMH
AC-20Use of External Systems (AC-20)
LMH
AC-24Access Control Decisions (AC-24)AU-2Event Logging (AU-2)
LMH
AU-12Audit Record Generation (AU-12)
LMH
CM-5Access Restrictions for Change (CM-5)
LMH
IA-2Identification and Authentication (Organizational Users) (IA-2)
LMH
IA-4Identifier Management (IA-4)
LMH
IA-5Authenticator Management (IA-5)
LMH
IA-8Identification and Authentication (Non-organizational Users) (IA-8)
LMH
MA-3Maintenance Tools (MA-3)
MH
MA-5Maintenance Personnel (MA-5)
LMH
PE-2Physical Access Authorizations (PE-2)
LMH
PL-4Rules of Behavior (PL-4)
LMH
PS-2Position Risk Designation (PS-2)
LMH
PS-4Personnel Termination (PS-4)
LMH
PS-5Personnel Transfer (PS-5)
LMH
PS-7External Personnel Security (PS-7)
LMH
PT-2Authority to Process Personally Identifiable Information (PT-2)PT-3Personally Identifiable Information Processing Purposes (PT-3)SC-7Boundary Protection (SC-7)
LMH
SC-12Cryptographic Key Establishment and Management (SC-12)
LMH
SC-13Cryptographic Protection (SC-13)
LMH
SC-37Out-of-band Channels (SC-37)AC-7Unsuccessful Logon Attempts (AC-7)
LMH
AC-11Device Lock (AC-11)
MH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)
LMH
AU-7Audit Record Reduction and Report Generation (AU-7)
MH
CA-7Continuous Monitoring (CA-7)
LMH
CM-12Information Location (CM-12)
MH
IR-8Incident Response Plan (IR-8)
LMH
MA-4Nonlocal Maintenance (MA-4)
LMH
PL-2System Security and Privacy Plans (PL-2)
LMH
PM-31Continuous Monitoring Strategy (PM-31)PS-3Personnel Screening (PS-3)
LMH
SI-4System Monitoring (SI-4)
LMH

Threat Coverage(4 ATT&CK techniques)

T1133External Remote ServicesT1078Valid AccountsT1136Create AccountT1021Remote Services

Control Enhancements(13)

AC-2(1)Automated System Account Management (AC-2(1))
MH
AC-2(2)Automated Temporary and Emergency Account Management (AC-2(2))
MH
AC-2(3)Disable Accounts (AC-2(3))
MH
AC-2(4)Automated Audit Actions (AC-2(4))
MH
AC-2(5)Inactivity Logout (AC-2(5))
MH
AC-2(6)Dynamic Privilege Management (AC-2(6))
AC-2(7)Privileged User Accounts (AC-2(7))
AC-2(8)Dynamic Account Management (AC-2(8))
AC-2(9)Restrictions on Use of Shared and Group Accounts (AC-2(9))
AC-2(10)Shared and Group Account Credential Change (AC-2(10))W
AC-2(11)Usage Conditions (AC-2(11))
H
AC-2(12)Account Monitoring for Atypical Usage (AC-2(12))
H
AC-2(13)Disable Accounts for High-risk Individuals (AC-2(13))
MH

See Also

@SP 800-53 OverviewCompare Baselines