NIST 800-53 REV 5 • ACCESS CONTROL
AC-24 — Access Control Decisions
{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.
Supplemental Guidance
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.
Practitioner Notes
Access control decisions — whether to grant or deny a request — should be made by a defined mechanism, not left to chance. This control is about having an explicit decision point that evaluates every access request.
Example 1: Azure AD Conditional Access is your access control decision point for cloud resources. Every authentication request is evaluated against your policies — user, device, location, risk level — and the decision is either grant, deny, or require additional verification.
Example 2: For network access, your NAC (Network Access Control) solution (Cisco ISE, Aruba ClearPass) evaluates every device trying to connect to the network. It checks device posture (AV up to date, patches applied, encryption enabled) and either grants access, quarantines the device, or denies access.