NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(12)Assert and Enforce Application Access

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }}; Provide an enforcement mechanism to prevent unauthorized access; and Approve access changes after initial installation of the application.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files.

Practitioner Notes

This control is about applications asserting and enforcing their own access rules in addition to what the operating system provides. The application itself must check whether the user is authorized for each action.

Example 1: In a custom web application, implement authorization checks at every API endpoint using middleware. In ASP.NET, apply [Authorize(Policy = "CanEditOrders")] attributes on controllers. Never assume that because a user authenticated, they are authorized for every function.

Example 2: Configure your API gateway (AWS API Gateway, Azure API Management) to enforce OAuth 2.0 scopes. Each API endpoint should require a specific scope — for example, read:users versus write:users — and the gateway rejects requests that lack the required scope before they reach your backend.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management