Model Overview
Source of Reference: The official Model Overview from the Office of the Under Secretary of Defense Acquisition & Sustainment.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
| Level 1 | Level 2 | Level 3 (TBD) |
|---|---|---|
| AC.L1-3.1.1
Authorized Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
|
AC.L2-3.1.3
Control CUI Flow Control the flow of CUI in accordance with approved authorizations.
|
|
| AC.L1-3.1.2
Transaction & Function Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
|
AC.L2-3.1.4
Separation of Duties Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
|
|
| AC.L1-3.1.20
External Connections Verify and control/limit connections to and use of external information systems.
|
AC.L2-3.1.5
Least Privilege Employ the principle of least privilege, including for specific security functions and privileged accounts.
|
|
| AC.L1-3.1.22
Control Public Information Control information posted or processed on publicly accessible information systems.
|
AC.L2-3.1.6
Non-Privileged Account Use Use non-privileged accounts or roles when accessing nonsecurity functions.
|
|
| AC.L2-3.1.7
Privileged Functions Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
|
||
| AC.L2-3.1.8
Unsuccessful Logon Attempts Limit unsuccessful logon attempts.
|
||
| AC.L2-3.1.9
Privacy & Security Notices Provide privacy and security notices consistent with applicable CUI rules.
|
||
| AC.L2-3.1.10
Session Lock Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
|
||
| AC.L2-3.1.11
Session Termination Terminate (automatically) a user session after a defined condition.
|
||
| AC.L2-3.1.12
Control Remote Access Monitor and control remote access sessions.
|
||
| AC.L2-3.1.13
Remote Access Confidentiality Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
|
||
| AC.L2-3.1.14
Remote Access Routing Route remote access via managed access control points.
|
||
| AC.L2-3.1.15
Privileged Remote Access Authorize remote execution of privileged commands and remote access to security-relevant information.
|
||
| AC.L2-3.1.16
Wireless Access Authorization Authorize wireless access prior to allowing such connections.
|
||
| AC.L2-3.1.17
Wireless Access Protection Protect wireless access using authentication and encryption.
|
||
| AC.L2-3.1.18
Mobile Device Connection Control connection of mobile devices.
|
||
| AC.L2-3.1.19
Encrypt CUI on Mobile Encrypt CUI on mobile devices and mobile computing platforms.
|
||
| AC.L2-3.1.21
Portable Storage Use Limit use of portable storage devices on external systems.
|