NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(11)Restrict Access to Specific Information Types

Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.

Practitioner Notes

Some types of information — like PII, CUI, medical records, or financial data — need extra access restrictions beyond what you apply to general data. This control makes you identify those types and lock them down specifically.

Example 1: In Microsoft Purview, create sensitivity labels for CUI, PII, and HIPAA-Protected. Configure auto-labeling policies that scan documents for SSNs, credit card numbers, and other sensitive patterns and apply the appropriate label with encryption and access restrictions automatically.

Example 2: In your database (SQL Server), use Dynamic Data Masking on columns containing SSNs, phone numbers, and email addresses. Configure it under Security → Dynamic Data Masking so that queries from non-privileged users see masked values (e.g., XXX-XX-1234) while authorized analysts see the full data.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management