AC-2: Account Management
From NIST's SP800-53:
a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1087.004 | Cloud Account | Discovery |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1538 | Cloud Service Dashboard | Discovery |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1559.001 | Component Object Model | Execution |
| T1569.002 | Service Execution | Execution |
| T1213.003 | Code Repositories | Collection |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1606.001 | Web Cookies | Credential Access |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1003.002 | Security Account Manager | Credential Access |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1601 | Modify System Image | Defense Evasion |
| T1003.006 | DCSync | Credential Access |
| T1025 | Data from Removable Media | Collection |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1003.003 | NTDS | Credential Access |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1569 | System Services | Execution |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1070.003 | Clear Command History | Defense Evasion |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1005 | Data from Local System | Collection |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1606.002 | SAML Tokens | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1612 | Build Image on Host | Defense Evasion |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1552.001 | Credentials In Files | Credential Access |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1552.002 | Credentials in Registry | Credential Access |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |