Implementing NIST – Access Control - Access Control Decisions


Based on NIST 800-53 – AC-24, it’s recommended to implement procedures that ensure access control decisions are applied to each access request before access decisions are enforced. Additionally, information systems should securely transmit information relating to access authorisations and where feasible, do not include the identity of the user or process acting on behalf of a user.

How to implement Access Control Decisions

Businesses must first adopt an access control method based on their business case and then apply restrictive controls to only allow what is needed. Below are some common access control methods:

  • Role-based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Mandatory Access Control (MAC)
  • ACL (Access Control List)
  • Discretionary Access Control (DAC)

When implementing access control methods, it’s important to use encrypted channels to communicate access control data. Below are some protocols which support encrypted communications:

  • HTTPS (Hypertext Transfer Protocol Secure)
  • SSH (Secure Shell)
  • FTPS (FTP over SSL)
  • SFTP (SSH File Transfer Protocol or FTP over SSH)

How to verify Access Control Decisions is implemented

Below are some ways to check if this control is implemented securely.

  1. Inspect traffic using a proxy to determine if unnecessary attributes are being transmitted.
  2. Launch security tests that try to misuse or abuse access control decision data. The tests will highlight security gaps in the implementation that may lead to a compromise.



You can submit a support ticket 24/7, whether it’s a business or personal issue. We support businesses remotely to identify security vulnerabilities across their network, improve their protective processes, train and test their staff.

You may alternatively schedule a consultation at the following page: or explore your service further at


Why implement Access Control Decisions

Protecting access authorisation data minimises the risk of data being altered, spoofed, or otherwise compromised during transmission.


Before you go

If this guide didn’t quite solve your query, please submit a ticket so we can help you further. Spotted an error above? Please let us know so we can fix it. Stay awesome!


References and resources


Additional resources on this topic:


Resources for Security assessors: