AC.L1-3.1.2/b.1.ii Transaction & Function Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Source: FAR Clause 52.204-21 b.1.ii, NIST SP 800-171 Rev 2 3.1.2

Discussion: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Assessment Objectives:

Determine if:

• [a] the types of transactions and functions that authorized users are permitted to execute are defined; and;
• [b] system access is limited to the defined types of transactions and functions for authorized users.

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; security plan; system design documentation; list of approved authorizations (user privileges) including remote access authorizations; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].

Test: [SELECT FROM: Mechanisms implementing access control policy].

SPRS Score: 5

POA&M Allowed: No