NIST 800-53 REV 5 • ACCESS CONTROL
AC-3(14) — Individual Access
Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}.
Supplemental Guidance
Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.
Practitioner Notes
Individual access means the system can identify each person uniquely and make access decisions based on that individual identity — not just group membership. Every user gets their own account and their own audit trail.
Example 1: Enforce a policy that every employee and contractor has a unique Active Directory account. Prohibit shared logins. Use the naming convention first.last or flast and configure the GPO to prevent anonymous logon under Local Policies → Security Options → "Network access: Do not allow anonymous enumeration of SAM accounts" set to Enabled.
Example 2: For application access, require individual SSO credentials through Azure AD or Okta rather than application-level shared credentials. Configure each SaaS application (Salesforce, ServiceNow, Slack) for SAML 2.0 SSO so every action is tied back to a specific person.