What You Need To Know About the Access Control (AC) Control Family

by Shea Simpson

StateRAMP security standards and requirements are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev. 4. Over the course of the next few months, our team will be releasing weekly blogs to elaborate on the 17 control families outlined in these requirements.

What is Access Control?

The Access Control (AC) control family revolves around who you authorize to access your assets and how they are allowed to gain access.

Why is Access Control Important?

AC is one of the most critical control families because it ensures the system in question has adequate protection surrounding access to the information system. Unauthorized system access always precedes cyber incidents, making a solid security posture regarding access controls a must.

The AC family itself is geared toward ensuring a system’s technical security implementations meet a minimum best practice standard for operation and certifies service providers have access and account management practices in place to manage access provisioning and user account controls appropriately.

Sufficiently meeting the AC controls shows that the service provider’s offering identifies and authorizes legitimate users of the system while protecting against unauthorized access and system compromise.

How does having strong Access Control benefit governments?

Good AC controls benefit governments as these controls are one of the first lines of defense when considering the security of an information system. For example, imagine that you owned a very nice house and wanted to keep it secure. You’d probably invest in an alarm system and high-quality locks for the doors and windows.

Would you then hand out keys and the alarm code to anyone who might conceivably need access to something inside your house just in case? Hopefully not, because that would defeat the point of the alarm system and the locks. The same could be said for granting access to an information system you need the locks, alarm system, and a process for handing out the keys to the right people.

What is the easiest way for a provider to determine their current AC implementation?

Access control is all about who is allowed into the system. Both remote and local access are to be considered when addressing this control. Here are some questions service provider should consider when implementing the AC control family:

  • Is a role-based access control scheme used to determine levels of system access for individual users? Does this role-based scheme consider the concepts of least privilege and separation of duties?
  • What are the password requirements in terms of length, complexity, minimum and maximum age?
  • Are accounts automatically logged out after a certain period of inactivity?
  • Is there an account review process for privileged information system accounts?
  • How are account creation/modification/deletion actions tracked from initial submission through approval into action?
  • Are privileged information system accounts creation/modification/deletion actions audited?
  • Is there an alerting process set up to notify account managers for the creation or modification of privileged accounts?
  • How is remote access secured?
  • In what situations are wireless access granted?
  • How are mobile devices allowed to access the system?

What are some acceptable AC implementations?

Examples of robust implementations of the AC controls include:

  • Remote access that is encrypted using FIPS 140-2 encryption methods and requires MFA
  • Account managers that are assigned to approve and periodically review all accounts created on the information system
  • A defined process for account creation and management that includes tracking requests from submission to implementation using a ticketing system like Jira or something similar
  • A role-based scheme for granting access to the system that is based on least-privilege and separation of duties
  • Strong password requirements
  • Password hashing and one-way salting
  • Logging and alerting for the creation of privileged accounts that alert account managers and require a manual review of the newly created account. Frequently, this is accomplished through a Security Incident and Event Management (SIEM) platform.

What does StateRAMP require in terms of Access Control?

Service providers interested in validating their product through StateRAMP should meet the following requirements:

  • Secure all remote access with strong encryption methods with a cipher strength of AES-128 and in-transit encryption using TLS1.1 or above
  • A defined account management process using a role-based scheme that considers separation of duties and least privilege
  • Strong password requirements
  • At least annual reviews of all privileged accounts on the system
  • Policies and procedures surrounding credential use and reuse for shared or group accounts
  • Automatic disabling of inactive accounts after a period of 90 days or less
  • Automatic termination of a user’s session after an inactivity period of 15 minutes or less
  • Account creation auditing and alerting

Stay tuned for next week's blog post about the Audit and Accountability Control family.

Do you meet the minimum requirements for StateRAMP Ready?

Want to learn more about StateRAMP baseline security controls?

Share this post: