NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(9)Human Reviews

Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.

Practitioner Notes

Some data transfers are too sensitive or nuanced for automated filters alone. This control requires a human reviewer to approve certain information flows before they happen.

Example 1: Set up a SharePoint approval workflow for any file transfer request to an external party. The workflow routes to the data owner for content review and then to the ISSO for security approval. Both must sign off before the transfer is executed.

Example 2: In your cross-domain transfer process, require a human review station where a trained operator examines files queued for transfer. The operator checks for classification markings, embedded content, and metadata before approving release. Log every decision with the reviewer's identity and timestamp.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management