CoreOS 4.x - Access Control

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
AC-1 Access Control Policy And Procedures

not applicable

AC-2 Account Management

not applicable

AC-2 (1) Automated System Account Management

not applicable

AC-2 (2) Removal Of Temporary / Emergency Accounts

not applicable

AC-2 (3) Disable Inactive Accounts

not applicable

AC-2 (4) Automated Audit Actions

not applicable

AC-2 (5) Inactivity Logout

planned

AC-2 (6) Dynamic Privilege Management

planned

AC-2 (7) Role-Based Schemes

planned

AC-2 (8) Dynamic Account Creation

planned

AC-2 (9) Restrictions On Use Of Shared / Group Accounts

not applicable

AC-2 (10) Shared / Group Account Credential Termination

not applicable

AC-2 (11) Usage Conditions

not applicable

AC-2 (12) Account Monitoring / Atypical Usage

not applicable

AC-2 (13) Disable Accounts For High-Risk Individuals

not applicable

AC-3 Access Enforcement

planned

AC-3 (1) Restricted Access To Privileged Functions

not applicable

AC-3 (2) Dual Authorization
AC-3 (3) Mandatory Access Control

planned

AC-3 (4) Discretionary Access Control

planned

AC-3 (5) Security-Relevant Information

planned

AC-3 (6) Protection Of User And System Information

not applicable

AC-3 (7) Role-Based Access Control

planned

AC-3 (8) Revocation Of Access Authorizations

planned

AC-3 (9) Controlled Release

planned

AC-3 (10) Audited Override Of Access Control Mechanisms

complete

AC-4 Information Flow Enforcement

planned

AC-4 (1) Object Security Attributes

planned

AC-4 (2) Processing Domains

planned

AC-4 (3) Dynamic Information Flow Control

planned

AC-4 (4) Content Check Encrypted Information
AC-4 (5) Embedded Data Types

not applicable

AC-4 (6) Metadata

planned

AC-4 (7) One-Way Flow Mechanisms

not applicable

AC-4 (8) Security Policy Filters

planned

AC-4 (9) Human Reviews
AC-4 (10) Enable / Disable Security Policy Filters

complete

AC-4 (11) Configuration Of Security Policy Filters

complete

AC-4 (12) Data Type Identifiers
AC-4 (13) Decomposition Into Policy-Relevant Subcomponents
AC-4 (14) Security Policy Filter Constraints
AC-4 (15) Detection Of Unsanctioned Information
AC-4 (16) Information Transfers On Interconnected Systems
AC-4 (17) Domain Authentication
AC-4 (18) Security Attribute Binding
AC-4 (19) Validation Of Metadata
AC-4 (20) Approved Solutions
AC-4 (21) Physical / Logical Separation Of Information Flows

planned

AC-4 (22) Access Only
AC-5 Separation Of Duties
AC-6 Least Privilege
AC-6 (1) Authorize Access To Security Functions

not applicable

AC-6 (2) Non-Privileged Access For Nonsecurity Functions

not applicable

AC-6 (3) Network Access To Privileged Commands

not applicable

AC-6 (4) Separate Processing Domains
AC-6 (5) Privileged Accounts

not applicable

AC-6 (6) Privileged Access By Non-Organizational Users
AC-6 (7) Review Of User Privileges

planned

AC-6 (8) Privilege Levels For Code Execution
AC-6 (9) Auditing Use Of Privileged Functions

planned

AC-6 (10) Prohibit Non-Privileged Users From Executing Privileged Functions

planned

AC-7 Unsuccessful Logon Attempts

planned

AC-7 (1) Automatic Account Lock
AC-7 (2) Purge / Wipe Mobile Device
AC-8 System Use Notification

planned

AC-9 Previous Logon (Access) Notification
AC-9 (1) Unsuccessful Logons
AC-9 (2) Successful / Unsuccessful Logons
AC-9 (3) Notification Of Account Changes
AC-9 (4) Additional Logon Information
AC-10 Concurrent Session Control

planned

AC-11 Session Lock

not applicable

AC-11 (1) Pattern-Hiding Displays

not applicable

AC-12 Session Termination

planned

AC-12 (1) User-Initiated Logouts / Message Displays

complete

AC-13 Supervision And Review - Access Control
AC-14 Permitted Actions Without Identification Or Authentication

complete

AC-14 (1) Necessary Uses
AC-15 Automated Marking
AC-16 Security Attributes

not applicable

AC-16 (1) Dynamic Attribute Association
AC-16 (2) Attribute Value Changes By Authorized Individuals
AC-16 (3) Maintenance Of Attribute Associations By Information System
AC-16 (4) Association Of Attributes By Authorized Individuals
AC-16 (5) Attribute Displays For Output Devices
AC-16 (6) Maintenance Of Attribute Association By Organization
AC-16 (7) Consistent Attribute Interpretation
AC-16 (8) Association Techniques / Technologies
AC-16 (9) Attribute Reassignment
AC-16 (10) Attribute Configuration By Authorized Individuals
AC-17 Remote Access

not applicable

AC-17 (1) Automated Monitoring / Control

complete

AC-17 (2) Protection Of Confidentiality / Integrity Using Encryption
AC-17 (3) Managed Access Control Points

planned

AC-17 (4) Privileged Commands / Access
AC-17 (5) Monitoring For Unauthorized Connections
AC-17 (6) Protection Of Information
AC-17 (7) Additional Protection For Security Function Access
AC-17 (8) Disable Nonsecure Network Protocols
AC-17 (9) Disconnect / Disable Access

complete

AC-18 Wireless Access

not applicable

AC-18 (1) Authentication And Encryption

not applicable

AC-18 (2) Monitoring Unauthorized Connections
AC-18 (3) Disable Wireless Networking
AC-18 (4) Restrict Configurations By Users
AC-18 (5) Antennas / Transmission Power Levels
AC-19 Access Control For Mobile Devices

not applicable

AC-19 (1) Use Of Writable / Portable Storage Devices
AC-19 (2) Use Of Personally Owned Portable Storage Devices
AC-19 (3) Use Of Portable Storage Devices With No Identifiable Owner
AC-19 (4) Restrictions For Classified Information
AC-19 (5) Full Device / Container-Based Encryption
AC-20 Use Of External Information Systems

not applicable

AC-20 (1) Limits On Authorized Use

not applicable

AC-20 (2) Portable Storage Devices

not applicable

AC-20 (3) Non-Organizationally Owned Systems / Components / Devices

not applicable

AC-20 (4) Network Accessible Storage Devices

not applicable

AC-21 Information Sharing

not applicable

AC-21 (1) Automated Decision Support

not applicable

AC-21 (2) Information Search And Retrieval

not applicable

AC-22 Publicly Accessible Content

not applicable

AC-23 Data Mining Protection