HOME

AC-2 (12)

AC-2 (12) H M
Description

The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].

FedRAMP
  • H AC-2 (12) (b)[at a minimum, the ISSO and/or similar role within the organization]
DISA Cloud Computing SRG

a. Not appropriate for DoD to define for all CSP's infrastructure or service offerings

b. at a minimum, the ISSO

Source:
DoD RMF TAG

Supplemental Guidance

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

Further Guidance

AC-2 (12)(a) Guidance: Required for privileged accounts.
AC-2 (12)(b) Guidance: Required for privileged accounts.

Related Controls