NIST 800-53 REV 5 • ACCESS CONTROL

AC-24(2)No User or Process Identity

Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.

Practitioner Notes

Make access decisions without requiring user or process identity — based solely on security attributes of the information. This supports environments where anonymity is needed but access still must be controlled.

Example 1: In a cross-domain solution, configure the guard to make transfer decisions based solely on the data's classification label, not on who is sending it. If the data is marked UNCLASSIFIED, it can flow to the lower domain regardless of the user's identity.

Example 2: In a DLP system, configure rules based on content sensitivity rather than user identity. The DLP policy blocks any document containing CUI markings from being uploaded to public cloud storage — regardless of who is doing the uploading or what their role is.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management