NIST 800-53 REV 5 • ACCESS CONTROL
AC-24(1) — Transmit Access Authorization Information
Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.
Practitioner Notes
Transmit access authorization information between systems so that access decisions made in one place are honored in another. This prevents users from having to re-authenticate at every system boundary.
Example 1: Implement SAML or OIDC federation between your identity provider (Azure AD) and your SaaS applications. When a user authenticates to Azure AD, the SAML assertion carries their role and group information to the application, which uses it to make its own access decisions.
Example 2: For API-based systems, use OAuth 2.0 tokens that carry authorization claims (scopes, roles). The identity provider mints the token with the user's authorizations, and downstream services validate and enforce those claims without needing to re-query the identity provider.