>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-3(4)Access Enforcement | Discretionary Access Control

IL5
IL6

>Control Description

Enforce organization-defined discretionary access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system's components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15).

A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system.

Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-3(4) (Discretionary Access Control)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-3(4)?
  • How frequently is the AC-3(4) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-3(4)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-3(4) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-3(4)?
  • How is AC-3(4) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-3(4) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-3(4)?
  • What audit logs, records, reports, or monitoring data validate AC-3(4) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-3(4) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-3(4) compliance?

Ask AI

Configure your API key to use AI features.