Discussion:

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Determining Statements (NIST SP 800-171Ar2)

Upon assessment, assessors must determine if-

3.1.2[a] the types of transactions and functions that authorized users are permitted to
execute are defined.
3.1.2[b] system access is limited to the defined types of transactions and functions for
authorized users.

Assessors are instructed to-

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].

Test: [SELECT FROM: Mechanisms implementing access control policy].