NIST 800-53 REV 5 • ACCESS CONTROL
AC-3(5) — Security-relevant Information
Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states.
Supplemental Guidance
Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.
Practitioner Notes
This control restricts access to security-relevant information — things like security configuration data, vulnerability scan results, and audit logs. Only people who need this information for their job should be able to see it.
Example 1: Create a dedicated Active Directory security group called Security-Relevant-Data-Access. Apply NTFS permissions to folders containing STIG checklists, scan results, and POA&M documents so only this group can read them. Review membership quarterly.
Example 2: In your SIEM (Splunk, Sentinel), configure role-based access so that only the security team can view audit logs and alert data. In Splunk, set this under Settings → Access Controls → Roles and assign index-level permissions. Regular IT staff should not be able to view or modify security event data.