NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(10)Audited Override of Access Control Mechanisms

Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12).

Practitioner Notes

Sometimes authorized users need to override access controls in an emergency. This control says that is allowed — but every override must be logged, audited, and reviewed. No one gets to bypass controls quietly.

Example 1: Configure your PAM tool (CyberArk, BeyondTrust) to allow emergency break-glass access but require a reason code and record the entire session. Set up an automatic alert to the CISO whenever a break-glass event occurs, and require a follow-up review within 24 hours.

Example 2: In Azure AD PIM, when a user activates an emergency role, require them to enter a justification and set the maximum duration to 4 hours. Configure the Alerts section in PIM to send notifications to your security distribution list for every activation of Global Admin or Security Admin roles.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management