STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

AC-3 (3)

Access ControlRev 5system

Mandatory Access Control

Control Statement

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:

Supplemental Guidance

Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in [AC-25](#ac-25) . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see [AC-6](#ac-6) ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in [AC-3(4)](#ac-3.4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.

Related Controls (1)

SC-7

CCI Identifiers (15)

CCI-000022The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.CCI-001409The organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access.CCI-003015Specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by any defined subset (or all) of the above constraints.CCI-002159Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.CCI-002160Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.CCI-002162Defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by any of the mandatory access control constraints.

Linked STIG Checks (3)

Across 3 STIGs. Click to expand.

CCI-001410The organization defines the set of users and resources over which the information system is to enforce nondiscretionary access control policies.
CCI-002153Defines the mandatory access control policies that are to be enforced over all subjects and objects.
CCI-002154Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy is uniformly enforced across the covered subjects and objects within the system.
CCI-002155Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.
CCI-002156Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.
CCI-002157Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the system, or system components.
CCI-002158Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
CCI-002161Defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by any of the mandatory access control constraints.
CCI-003014Enforce organization-defined mandatory access control policies over all subjects and objects.