NIST 800-53 AC-5

Separation of Duties

Return to master list of NIST 800-53 controls.

Automated Inspection items for NIST SP 800-53 AC-5 assessment.

Automated Inspection items are efficient enough that they can usually be part of a CA-7 Continuous Monitoring program on a daily (or in some cases hourly) basis, simultaneously meeting the requirements of RA-5 Vulnerability Scanning. While NIST 800-53 allows Continuous Monitoring results to be used for CA-2 Security Assessments and CA-4 Security Certification, a separate run using the same automated Inspection items in combination with more laborious items for CA-2 and CA-4 adds no significant burden.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide automated Inspection items as follows:

NIST SP 800-53 R2 AC-5
Description  Automated Tests
Each authorized user shall have at most one privileged and one non-privileged username.
(UAF,OWNER,NONPRIVMAX)
(UAF,OWNER,NONPRIVMIN)
(UAF,OWNER,PRIVMAX)
(UAF,OWNER,PRIVMIN)
Individuals doing account management do not perform Audit Control.
(USAGE,DOUAF,DOAUDIT)
Individuals doing account management do not perform Network Management.
(USAGE,DOUAF,DONCP)
Individuals doing account management do not perform Security Assessment.
(USAGE,DOUAF,DOASSESS)
Individuals doing account management do not perform System Management.
(USAGE,DOUAF,DOINSTALL)
(USAGE,DOUAF,DOMOUNT)
(USAGE,DOUAF,DOPROCESS)
(USAGE,DOUAF,DOSYSGEN)
(USAGE,DOUAF,DOTIME)
Individuals doing audit control do not perform Security Assessment.
(USAGE,DOAUDIT,DOASSESS)
Individuals doing audit control do not perform System Management.
(USAGE,DOAUDIT,DOINSTALL)
(USAGE,DOAUDIT,DOMOUNT)
(USAGE,DOAUDIT,DOPROCESS)
(USAGE,DOAUDIT,DOSYSGEN)
(USAGE,DOAUDIT,DOTIME)
Individuals doing network management do not perform Account Management.
(USAGE,DONCP,DOUAF)
Individuals doing network management do not perform Audit Control.
(USAGE,DONCP,DOAUDIT)
Individuals doing network management do not perform Security Assessment.
(USAGE,DONCP,DOASSESS)
Individuals doing network management do not perform System Management.
(USAGE,DONCP,DOINSTALL)
(USAGE,DONCP,DOMOUNT)
(USAGE,DONCP,DOPROCESS)
(USAGE,DONCP,DOSYSGEN)
(USAGE,DONCP,DOTIME)
Individuals doing security assessment do not perform Account Management.
(USAGE,DOASSESS,DOUAF)
(USAGE,DOAUDIT,DOUAF)
Individuals doing security assessment do not perform Audit Control.
(USAGE,DOASSESS,DOAUDIT)
Individuals doing security assessment do not perform Network Management.
(USAGE,DOASSESS,DONCP)
(USAGE,DOAUDIT,DONCP)
Individuals doing security assessment do not perform System Management.
(USAGE,DOASSESS,DOINSTALL)
(USAGE,DOASSESS,DOMOUNT)
(USAGE,DOASSESS,DOPROCESS)
(USAGE,DOASSESS,DOSYSGEN)
(USAGE,DOASSESS,DOTIME)
Individuals doing system management do not perform Account Management.
(USAGE,DOINSTALL,DOUAF)
(USAGE,DOMOUNT,DOUAF)
(USAGE,DOPROCESS,DOUAF)
(USAGE,DOSYSGEN,DOUAF)
(USAGE,DOTIME,DOUAF)
Individuals doing system management do not perform Audit Control.
(USAGE,DOINSTALL,DOAUDIT)
(USAGE,DOMOUNT,DOAUDIT)
(USAGE,DOPROCESS,DOAUDIT)
(USAGE,DOSYSGEN,DOAUDIT)
(USAGE,DOTIME,DOAUDIT)
Individuals doing system management do not perform Network Management.
(USAGE,DOINSTALL,DONCP)
(USAGE,DOMOUNT,DONCP)
(USAGE,DOPROCESS,DONCP)
(USAGE,DOSYSGEN,DONCP)
(USAGE,DOTIME,DONCP)
Individuals doing system management do not perform Security Assessment.
(USAGE,DOINSTALL,DOASSESS)
(USAGE,DOMOUNT,DOASSESS)
(USAGE,DOPROCESS,DOASSESS)
(USAGE,DOSYSGEN,DOASSESS)
(USAGE,DOTIME,DOASSESS)
Most broadcast operations are by operators with only TMPMBX, NETMBX and OPER privileges.
(USAGE,OPERATOR,BROADCAST)
Most queue operations are by operators with only TMPMBX, NETMBX and OPER privileges.
(USAGE,OPERATOR,QUEUE)
Most tape operations are by operators with only TMPMBX, NETMBX and OPER privileges.
(USAGE,OPERATOR,TAPE)
No Administrators administer password changes for themselves.
(USAGE,EVADEPWD,SELF)
No more than 5 Usernames shall share a UIC.
(UAF,UICSHARE,ABSOLUTHI)
Process control auditing is enabled.
(AUDIT,PRCCANWAK,AUREQUIRE)
(AUDIT,PRCGETJPI,AUREQUIRE)
(AUDIT,PRCRESUME,AUREQUIRE)
(AUDIT,PRCSCHDWK,AUREQUIRE)
(AUDIT,PRCSIGPRC,AUREQUIRE)
(AUDIT,PRCSUSPND,AUREQUIRE)
(AUDIT,PRCWAKE,AUREQUIRE)
The Owner field in SYSUAF is maintained.
(UAF,OWNER,DIGITSPACE)
(UAF,OWNER,MAINTAINED)
The ratio of usernames with OPER privilege to those with more privilege is sufficiently large.
(UAF,OPERATOR,TOOFEW)
Username SYSTEM is not permitted Interactive or Network access.
(USAGE,SYSTEMUSER,NOINTERACT)
(USAGE,SYSTEMUSER,NONETWORK)
Usernames with full privilege to control the system shall require dual passwords.
(UAF,PWDNULL,SECMAXPRIV)

Interview questions for NIST SP 800-53 AC-5 assessment.

Interview questions are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Interview questions in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-5
POLSTAFF

Manual Inspection items for NIST SP 800-53 AC-5 assessment.

Manual Inspection items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Inspection items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-5
POLICY

Manual Invasive Testing items for NIST SP 800-53 AC-5 assessment.

Manual Invasive Testing items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring. The level of effort required and the degree of invasiveness are so high (in most cases making up for lack of Common Criteria evaluation) that arrangement as a Common Control is almost always a requirement for execution.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Invasive Testing items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-5
TEST_VMS_OPER

Descriptions above apply to  LJK/Security™ Version 3.0.

The notation NIST SP 800-53 above refers in particular to NIST Special Publication 800-53 Revision 2.

Those NIST Special Publications specify security standards in support of FISMA for US Federal Government civil activities.

Return to master list of NIST 800-53 controls.

Valid HTML 4.01! Viewable with Any Browser