NIST 800-53 REV 5 • ACCESS CONTROL

AC-21(2)Information Search and Retrieval

Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Information search and retrieval services identify information system resources relevant to an information need.

Practitioner Notes

Information search and retrieval systems must enforce sharing restrictions. Search results should only show data that the searcher is authorized to see.

Example 1: In SharePoint Search, verify that security trimming is enabled (it is by default). Users only see search results for documents they have permission to access. Test by searching with different user accounts to confirm results are properly filtered.

Example 2: For your SIEM or log management system, configure role-based access so that searches are scoped to the user's authorization level. In Splunk, assign index-level permissions to roles so that an HR analyst cannot search security logs and a security analyst cannot search HR system logs.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management