NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(10)Enable and Disable Security or Privacy Policy Filters

Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed.

Practitioner Notes

This control gives authorized administrators the ability to turn security filters on and off as operational needs require. This flexibility must be logged and controlled — not a free-for-all.

Example 1: In your DLP solution (Purview, Symantec DLP), restrict the ability to disable or modify DLP policies to a named security admin group. Log every policy change and require a change request ticket before any filter is disabled, even temporarily.

Example 2: On your firewall, implement change management for any rule modifications. Use a tool like Tufin or AlgoSec to track who changed what rule and when. Require dual approval for disabling any security-relevant rule, and set automatic re-enablement after the approved window closes.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management