NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(11)Usage Conditions

Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.

Practitioner Notes

This control is about defining specific conditions under which certain accounts can be used. For example, a break-glass account might only be used during a declared emergency, or a contractor account might only work during business hours.

Example 1: In Azure AD Conditional Access, create a policy for your emergency admin accounts that only allows sign-in from a specific trusted IP range (your SOC or NOC). Add an alert in Microsoft Sentinel that fires immediately if these accounts are used, so your security team knows.

Example 2: For contractor accounts, configure logon hours in Active Directory under the account properties → Log On Hours tab. Restrict them to Monday–Friday, 7:00 AM–6:00 PM. Combine with a Conditional Access policy that blocks access from non-US locations.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management