NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-8(15)Predicate Permission

Implement the security design principle of predicate permission in {{ insert: param, sa-08.15_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. [SALTZER75](#c9495d6e-ef64-4090-8509-e58c3b9009ff) originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action.

Practitioner Notes

Predicate permission means that access decisions are based on verifiable conditions (predicates) that are evaluated at the time of access, not just at the time of initial authorization.

Example 1: Implement Conditional Access policies that evaluate conditions at every login: user role, device compliance, location, and risk level. A user who was authorized yesterday from a compliant device in the office might be denied today if they are logging in from an unknown device in a foreign country.

Example 2: In Azure AD Conditional Access, create policies that require device compliance and MFA for all access, block access from risky sign-in locations, and enforce app-level restrictions based on user risk score. The access decision is made in real-time based on current conditions, not a static permission grant.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment