NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(22)Access Only

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate.

Practitioner Notes

Access only means users can view information but cannot extract, download, copy, or print it. The data stays in the system — users get read access but cannot take anything out.

Example 1: In Azure Virtual Desktop (AVD), configure session host settings to disable clipboard redirection, drive redirection, and printer redirection. Users can view and work with documents in the virtual desktop but cannot copy content to their local machine.

Example 2: In SharePoint Online, use Conditional Access App Control (through Microsoft Defender for Cloud Apps) to create a session policy that allows users to view documents in the browser but blocks downloads, print, and copy-paste operations.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management