Access Control¶
Authorize Access to Security Functions¶
AC-06(01)
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
AC-06(01) - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Authorize access for [Assignment: organization-defined individuals and roles] to:
- (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
- (b) [Assignment: organization-defined security-relevant information].
FedRAMP Parameters
| Parameter ID | NIST assignment | FedRAMP value |
|---|---|---|
ac-06.01_odp.02 |
security functions (deployed in hardware) | all functions not publicly accessible |
ac-06.01_odp.05 |
security-relevant information | all security-relevant information not publicly available |
Non-privileged Access for Nonsecurity Functions¶
AC-06(02)
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
AC-06(02) - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.
FedRAMP Parameters
| Parameter ID | NIST assignment | FedRAMP value |
|---|---|---|
ac-06.02_odp |
security functions or security-relevant information | all security functions |
Privilege Levels for Code Execution¶
AC-06(08)
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
AC-06(08) - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].
FedRAMP Parameters
| Parameter ID | NIST assignment | FedRAMP value |
|---|---|---|
ac-06.08_odp |
software | any software except software explicitly documented |
Use of External Systems¶
AC-20
NIST SP 800-53 Revision 5.2.0
- Official NIST control ID:
AC-20 - Catalog version: 5.2.0
- OSCAL version: 1.2.2
- Catalog last modified: May 11, 2026
- a. [Selection: one or more of: establish; identify], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
- 1. Access the system from external systems; and
- 2. Process, store, or transmit organization-controlled information using external systems; or
- b. Prohibit the use of [Assignment: organization-defined prohibited types of external systems].
FedRAMP Guidance
The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:
AC-20 describes system access to and from external systems.
CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.
SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.