NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(4)Discretionary Access Control

Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the system, or the system’s components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in [AC-3(3)](#ac-3.3) and [AC-3(15)](#ac-3.15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while [AC-3(3)](#ac-3.3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, [AC-3(4)](#ac-3.4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.

Practitioner Notes

Discretionary Access Control (DAC) lets the data owner decide who can access their files. This is the traditional model — you create a file, you control the permissions. It is more flexible but relies on users making good choices.

Example 1: On Windows file shares, train users to set NTFS permissions through Properties → Security → Advanced and use security groups rather than individual users. Configure the GPO for Default owner for objects created by members of the Administrators group to be Object creator so ownership is tracked properly.

Example 2: In SharePoint Online, configure sharing settings under SharePoint Admin Center → Policies → Sharing. Set the default link type to Specific people instead of Anyone with the link. This ensures file owners must explicitly choose who gets access rather than accidentally sharing broadly.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management