NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(13)Attribute-based Access Control

Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy.

Practitioner Notes

Attribute-Based Access Control (ABAC) makes access decisions based on attributes of the user, the resource, and the environment — things like department, clearance level, time of day, or device compliance.

Example 1: In Azure AD Conditional Access, build a policy that grants access to the finance application only when all these conditions are met: user is in the Finance group, device is compliant in Intune, sign-in is from a US IP address, and risk level is low. This is ABAC in practice — multiple attributes evaluated together.

Example 2: In AWS, use IAM policy conditions to restrict S3 bucket access based on attributes: "Condition": {"StringEquals": {"aws:PrincipalTag/Department": "Engineering"}}. Tag your users with department attributes and your resources with matching tags. Access is granted only when the tags align.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management