NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.1.2 Limit system access to the types of transactions and
functions that authorized users are permitted to execute.
Control Family: Access Control
Control Type: Basic
SPRS Value: 5
CMMC Level(s):
AC.L1-b.1.ii
AC.L2-3.1.2
Top Ten Failed Requirement:
No
Referenced in:
FAR Clause 52.204 b.1.ii
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-2
AC-3
AC-17
Discussion:
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).
Determining Statements (NIST SP 800-171Ar2)
Upon assessment, assessors must determine if-
3.1.2[a] the types of transactions and functions that authorized users are permitted to
execute are defined.
3.1.2[b] system access is limited to the defined types of transactions and functions for
authorized users.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing access control policy].
Potential Solutions Based on Staffing
1-10 FTE |
10-49 FTE |
50-249 FTE |
250-999 FTE |
1000+ FTE |
|---|---|---|---|---|
| Microsoft AD | Microsoft AD | CyberArk | CyberArk | CyberArk |
| Azure AD SSO | Azure AD SSO | Centrify | Centrify | Centrify |
| Cimcor CimTrack | Cimcor CimTrack | Microsoft AD | Microsoft AD | Microsoft AD |
| Netwrix Auditor | Netwrix Auditor | Azure AD SSO | Azure AD SSO | Azure AD SSO |
| Microsoft Intune | Microsoft Intune | Okta | Okta | Okta |
| DISA STIGs | DISA STIGs | Cimcor CimTrack | Cimcor CimTrack | Cimcor CimTrak |
| CIS Benchmarks | CIS Benchmarks | Netwrix Auditor | Netwirx Auditor | Netwirx Auditor |
| CIS SecureSuite | CIS SecureSuite | Microsoft Intune | Microsoft Intune | Microsoft Intune |
| Tripwire Enterprise | Tripwire Enterprise | Tripwire Enterprise | ||
| DISA STIGs | DISA STIGs | DISA STIGs | ||
| CIS Benchmarks | CIS Benchmarks | CIS Benchmarks | ||
| CIS SecureSuite | CIS SecureSuite | CIS SecureSuite |