AC-2 : Account Management

AC-2 : Account Management

Control:

The organization manages information system accounts, including:
    a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
    b. Establishing conditions for group membership;
    c. Identifying authorized users of the information system and specifying access privileges;
    d. Requiring appropriate approvals for requests to establish accounts;
    e. Establishing, activating, modifying, disabling, and removing accounts;
    f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
    g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
    h. Deactivating:
    (i) temporary accounts that are no longer required; and
    (ii) accounts of terminated or transferred users;
    i. Granting access to the system based on:
    (i) a valid access authorization;
    (ii) intended system usage; and
    (iii) other attributes as required by the organization or associated missions/business functions; and
    j. Reviewing accounts [Assignment: organization-defined frequency].

Supplemental Guidance:

The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-4, IA-5, CM-5, CM-6, MA-3, MA-4, MA-5, SA-7, SC-13, SI-9.

Control Enhancements:

(1) The organization employs automated mechanisms to support the management of information system accounts.

(2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

(3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period].

(4) The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals.

(5) The organization: (a) Requires that users log out when [Assignment: organization defined time-period of expected inactivity and/or description of when to log out]; (b) Determines normal time-of-day and duration usage for information system accounts; (c) Monitors for atypical usage of information system accounts; and (d) Reports atypical usage to designated organizational officials.

(6) The information system dynamically manages user privileges and associated access authorizations.

Enhancement Supplemental Guidance: In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization.

(7) The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (b) Tracks and monitors privileged role assignments.

Enhancement Supplemental Guidance: Privileged roles include, for example, key management, network and system administration, database administration, web administration.

References: None.

Priority and Baseline Allocation:

P1

LOW AC-2

MOD AC-2 (1) (2) (3) (4)

HIGH AC-2 (1) (2) (3) (4)