Doc:NIST SP 800-53r3 Appendix F/AC-2
AC-2 ACCOUNT MANAGEMENT
- Control: The organization manages information system accounts, including:
- a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
- b. Establishing conditions for group membership;
- c. Identifying authorized users of the information system and specifying access privileges;
- d. Requiring appropriate approvals for requests to establish accounts;
- e. Establishing, activating, modifying, disabling, and removing accounts;
- f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
- g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
- h. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users;
- i. Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and
- j. Reviewing accounts [Assignment: organization-defined frequency].
- Supplemental Guidance: The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-4, IA-5, CM-5, CM-6, MA-3, MA-4, MA-5, SA-7, SC-13, SI-9.
- Control Enhancements: