AC.L1-3.1.2 Transaction & Function Control
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Source: FAR Clause 52.204-21 b.1.ii, NIST SP 800-171 Rev 2 3.1.2
Discussion: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).
SPRS Score: 5