NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(1)Authorize Access to Security Functions

Authorize access for {{ insert: param, ac-06.01_odp.01 }} to: {{ insert: param, ac-6.1_prm_2 }} ; and {{ insert: param, ac-06.01_odp.05 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.

Practitioner Notes

You need to explicitly authorize who can access security functions — things like changing firewall rules, modifying audit settings, or managing encryption keys. Not every IT person should have access to security controls.

Example 1: Create a dedicated security group in AD called Security-Functions-Authorized. Only members of this group can access the SIEM console, modify GPOs related to security settings, or manage certificates. Review membership monthly with the ISSO.

Example 2: In M365, assign the Security Administrator role only to your security team members — not to general IT admins. Configure this in Azure AD → Roles and administrators. Your IT admins get User Administrator or Helpdesk Administrator roles instead, which do not grant access to security settings.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management