controlAC-3

Access Enforcement (AC-3)

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Security Baselines

LOWMODERATEHIGH

access-controlauthorizationleast-privilege

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports77

These related controls work together — a change to one may affect the others.

Mitigates14

This control helps defend against or reduce the risk of the linked threat technique.

Enhances15

These enhancements add specific capabilities or refinements to the base control.

Related Controls(60)

AC-2Account Management (AC-2)

LMH

AC-4Information Flow Enforcement (AC-4)

AC-5Separation of Duties (AC-5)

AC-6Least Privilege (AC-6)

AC-16Security and Privacy Attributes (AC-16)AC-17Remote Access (AC-17)

LMH

AC-18Wireless Access (AC-18)

LMH

AC-19Access Control for Mobile Devices (AC-19)

LMH

AC-20Use of External Systems (AC-20)

LMH

AC-21Information Sharing (AC-21)

AC-22Publicly Accessible Content (AC-22)

LMH

AC-24Access Control Decisions (AC-24)AC-25Reference Monitor (AC-25)AT-2Literacy Training and Awareness (AT-2)

LMH

AT-3Role-based Training (AT-3)

LMH

AU-9Protection of Audit Information (AU-9)

LMH

CA-9Internal System Connections (CA-9)

LMH

CM-5Access Restrictions for Change (CM-5)

LMH

CM-11User-installed Software (CM-11)

LMH

IA-2Identification and Authentication (Organizational Users) (IA-2)

LMH

IA-5Authenticator Management (IA-5)

LMH

IA-6Authentication Feedback (IA-6)

LMH

IA-7Cryptographic Module Authentication (IA-7)

LMH

IA-11Re-authentication (IA-11)

LMH

IA-13Identity Providers and Authorization Servers (IA-13)MA-3Maintenance Tools (MA-3)

MA-4Nonlocal Maintenance (MA-4)

LMH

MA-5Maintenance Personnel (MA-5)

LMH

MP-4Media Storage (MP-4)

PM-2Information Security Program Leadership Role (PM-2)PS-3Personnel Screening (PS-3)

LMH

PT-2Authority to Process Personally Identifiable Information (PT-2)PT-3Personally Identifiable Information Processing Purposes (PT-3)SA-17Developer Security and Privacy Architecture and Design (SA-17)

SC-2Separation of System and User Functionality (SC-2)

SC-3Security Function Isolation (SC-3)

SC-4Information in Shared System Resources (SC-4)

SC-12Cryptographic Key Establishment and Management (SC-12)

LMH

SC-13Cryptographic Protection (SC-13)

LMH

SC-28Protection of Information at Rest (SC-28)

SC-31Covert Channel Analysis (SC-31)SC-34Non-modifiable Executable Programs (SC-34)SI-4System Monitoring (SI-4)

LMH

SI-8Spam Protection (SI-8)

AU-2Event Logging (AU-2)

LMH

AU-6Audit Record Review, Analysis, and Reporting (AU-6)

LMH

AU-14Session Audit (AU-14)CM-6Configuration Settings (CM-6)

LMH

CM-7Least Functionality (CM-7)

LMH

CM-12Information Location (CM-12)

CM-13Data Action Mapping (CM-13)MP-6Media Sanitization (MP-6)

LMH

PE-22Component Marking (PE-22)PM-20Dissemination of Privacy Program Information (PM-20)PM-21Accounting of Disclosures (PM-21)PT-6System of Records Notice (PT-6)SC-16Transmission of Security and Privacy Attributes (SC-16)SC-39Process Isolation (SC-39)

LMH

SC-45System Time Synchronization (SC-45)SC-50Software-enforced Separation and Policy Enforcement (SC-50)

Threat Coverage(14 ATT&CK techniques)

T1133External Remote Services T1078Valid Accounts T1059Command and Scripting Interpreter T1047Windows Management Instrumentation T1136Create Account T1053Scheduled Task/Job T1070Indicator Removal T1003OS Credential Dumping T1558Steal or Forge Kerberos Tickets T1021Remote Services T1005Data from Local System T1114Email Collection T1486Data Encrypted for Impact T1485Data Destruction

Control Enhancements(15)

AC-3(1)Restricted Access to Privileged Functions (AC-3(1))W

AC-3(2)Dual Authorization (AC-3(2))

AC-3(3)Mandatory Access Control (AC-3(3))

AC-3(4)Discretionary Access Control (AC-3(4))

AC-3(5)Security-relevant Information (AC-3(5))

AC-3(6)Protection of User and System Information (AC-3(6))W

AC-3(7)Role-based Access Control (AC-3(7))

AC-3(8)Revocation of Access Authorizations (AC-3(8))

AC-3(9)Controlled Release (AC-3(9))

AC-3(10)Audited Override of Access Control Mechanisms (AC-3(10))

AC-3(11)Restrict Access to Specific Information Types (AC-3(11))

AC-3(12)Assert and Enforce Application Access (AC-3(12))

AC-3(13)Attribute-based Access Control (AC-3(13))

AC-3(14)Individual Access (AC-3(14))

AC-3(15)Discretionary and Mandatory Access Control (AC-3(15))