NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(15)Discretionary and Mandatory Access Control

Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.

Practitioner Notes

This control combines mandatory and discretionary access controls. The system enforces both MAC labels (set by policy) and DAC permissions (set by owners) simultaneously. Both must allow access for the request to succeed.

Example 1: On a Linux system with SELinux enabled (MAC) and standard Unix permissions (DAC), a user must pass both checks to access a file. Even if the file's Unix permissions allow read access, SELinux will block the request if the user's security context does not match the file's context. Verify with ls -Z to see both permission layers.

Example 2: In a Windows classified environment, combine NTFS permissions (DAC) with Windows Information Protection or sensitivity labels (MAC). A user might own a document (DAC allows full control) but the sensitivity label prevents them from emailing it outside the organization (MAC overrides).

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management