NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(8)Revocation of Access Authorizations

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.

Practitioner Notes

When someone's access is revoked — whether they leave, change roles, or violate policy — the system must actually cut off their access promptly. It is not enough to remove them from a list; active sessions and cached credentials need to be invalidated too.

Example 1: In Azure AD, when you disable an account, also go to Users → [User] → Revoke sessions to invalidate all existing tokens immediately. Otherwise, the user may continue to access M365 apps for up to an hour using their cached token.

Example 2: On-premises, use the klist purge command to clear Kerberos tickets on the user's workstation, or force a password reset on the account. In high-security environments, also disable the computer account of their workstation to prevent any cached credential attacks.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management