myctrl.tools
Compare

AC-3(13)Attribute-Based Access Control

>Control Description

Enforce attribute-based access control policy over defined subjects and objects and control access based upon organization-defined attributes to assume access permissions.

>Supplemental Guidance

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource.

Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-03(03) define the scope of the subjects and objects covered by the policy.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-3(13) (Attribute-Based Access Control)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-3(13)?
  • How frequently is the AC-3(13) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-3(13)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-3(13) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-3(13)?
  • How is AC-3(13) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-3(13) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-3(13)?
  • What audit logs, records, reports, or monitoring data validate AC-3(13) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-3(13) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-3(13) compliance?

Ask AI

Configure your API key to use AI features.