| Field | Detail |
|---|---|
| Control ID | AC-01 |
| Control Name | Policy and Procedures |
| Framework | NIST SP 800-53, Revision 5 |
| Control Family | Access Control |
| Baselines | LOW MODERATE HIGH PRIVACY |
| Relevance | Organization (First Party and Third Party) |
| Risk Severity | Low |
What this control requires
AC-01 requires organizations to develop, document, and maintain a formal access control policy and the procedures that implement it. The policy must spell out who’s responsible for access decisions, how those responsibilities are coordinated, and what compliance obligations apply under relevant laws, executive orders, and regulations.
Specifically, the control calls for a designated official who owns the entire lifecycle of the policy and its supporting procedures. That ownership covers development, documentation, dissemination, and periodic review. You’ll also need to tie the policy directly to your organization’s risk management strategy, because the rigor of your access control posture should reflect the actual risk environment you’re operating in.
Where this breaks down is the difference between restating controls and writing actual procedures. Restating the language of a control doesn’t constitute a procedure. Your procedures should be concrete enough that a practitioner can follow them without guessing.
In practice, this means those procedures need to be updated at organization-defined frequencies and whenever triggering events occur, such as audit findings, security incidents, or changes in law. Security and privacy teams should collaborate on both the policy and the procedures, and organization-level policies are generally preferred over system-specific ones to reduce fragmentation.
Why it matters
Missing or outdated access control policies create a governance gap that auditors notice immediately. AC-01 sits at the foundation of the entire Access Control family, which means weaknesses here cascade outward. Without a clear, current policy, every downstream control from account management to remote access inherits ambiguity about who’s authorized, under what conditions, and with what oversight.
The consequence is direct regulatory exposure. Federal agencies operating under FISMA face compliance risk if AC-01 can’t be demonstrated, and organizations pursuing FedRAMP authorization will find that policy and procedure gaps are among the first findings assessors document. Even in the private sector, frameworks like HIPAA and SOC 2 expect equivalent governance, making this control relevant well beyond the federal space.
Where this breaks down is the difference between having a policy and having a living policy. A document that was written three years ago and hasn’t been reviewed since doesn’t satisfy AC-01, and it won’t survive an audit. Policies that don’t reflect current threats, organizational changes, or regulatory updates give a false sense of compliance while leaving actual access decisions unguided.
The result is eroded trust in the control environment itself. When practitioners encounter outdated guidance, they work around it, creating shadow processes that auditors can’t evaluate and that security leadership can’t monitor. This pattern makes the entire AC family fragile.
What attackers exploit:
- Absence of a current policy, which leaves no authoritative basis for access decisions and lets unauthorized access go undetected
- Procedures that restate control language without specifying implementation steps, creating gaps adversaries exploit through inconsistent enforcement
- No designated official accountable for access governance, meaning nobody owns detection and response when access anomalies occur
- Policies that omit required elements like coordination and compliance, allowing attackers to move laterally between organizational entities without triggering review
- Drift between stated policy and actual practice, which creates shadow access paths that bypass intended controls
How to implement
In most environments, the policy exists on paper but doesn’t connect to how access decisions actually get made. That disconnect is the most common failure mode for AC-01.
For your organization
Start by designating a specific official, typically the CISO or a senior security manager, as the policy owner. This person is accountable for ensuring the information security policy stays current and that procedures reflect operational reality.
Specifically, draft the policy to cover every element AC-01 requires: purpose, scope, roles and responsibilities, management commitment, coordination among stakeholders, and compliance alignment with applicable laws. Don’t write this in isolation. Bring in privacy, legal, HR, and IT operations early, because access control policy touches all of them.
Specifically, develop procedures as separate, actionable documents. Each procedure should map to a specific access control activity, such as account provisioning, access reviews, or remote access authorization. Write them so a practitioner can execute the steps without interpretation.
In practice, this means setting a review cadence. Most organizations review annually, but you should also define triggering events: audit findings, security incidents, organizational restructuring, or changes in regulation. Document every review, even if no changes result, because auditors need evidence that the review happened.
The result of all this work should be a defensible evidence trail. Store policy versions, review records, approval signatures, and dissemination logs in a centralized system. Governance, risk, and compliance platforms and policy management tools can automate version control, review reminders, and acknowledgment tracking.
Common mistakes:
- Writing a policy that restates NIST control language without translating it into organization-specific guidance
- Assigning policy ownership to a committee instead of a single accountable official
- Failing to update procedures after an incident or organizational change
- Storing the policy in a location where affected personnel can’t access it
- Treating the policy as a one-time deliverable rather than a living document
For your vendors
When assessing vendor compliance with AC-01, you’re looking for evidence that access control governance is formalized, current, and actively enforced. A vendor who can’t produce a policy and procedures document, or who provides one that’s clearly outdated, is signaling broader control environment weaknesses.
Specifically, in your security questionnaire, ask directly: “Do you maintain a formal access control policy and supporting procedures? When was the policy last reviewed and by whom?” Follow up with requests for the actual documents rather than self-attestation alone.
Specifically, go beyond self-attestation by requesting these artifacts: the current access control policy, a sample procedure document (for example, account provisioning), evidence of the most recent policy review (meeting minutes, approval records, or change logs), and a record of who’s designated as the policy owner. Cross-reference what you receive against the elements AC-01 requires, particularly purpose, scope, roles, and compliance alignment.
Red flags to watch for:
- A policy dated more than two years ago with no review history
- Procedures that are generic templates with no organization-specific detail
- No named policy owner or a policy owner who’s no longer with the organization
- Inability to produce dissemination records showing staff awareness
- Policy scope that doesn’t cover the systems or services relevant to your engagement
But document review alone isn’t enough — consider whether your vendor’s access control practices align with what the policy states. If you have audit rights, compare the written procedures to actual configurations. A vendor management policy that includes periodic access control validation helps you catch drift before it becomes a finding.
Evidence examples
| Evidence Type | Example Artifact |
|---|---|
| Access control policy | Current version of the organization’s access control policy, including purpose, scope, roles, and compliance alignment sections |
| Access control procedures | Step-by-step procedure documents for account provisioning, access reviews, and remote access authorization |
| System security plan | Relevant sections describing how AC-01 is addressed within the system boundary |
| Privacy plan | Documentation showing privacy considerations integrated into access control policy |
| Policy review records | Meeting minutes, change logs, or approval signatures from the most recent policy review cycle |
| Designated official documentation | Organizational chart or appointment memo identifying the official responsible for AC-01 policy lifecycle |
| Dissemination records | Email distribution logs, intranet acknowledgment receipts, or training sign-off sheets confirming personnel received the policy |
Cross-framework mapping
| Framework | Control(s) | Coverage |
|---|---|---|
| ISO 27001:2022 | 5.1 Policies for information security | Partial |
| ISO 27001:2022 | 5.2 Information security roles and responsibilities | Partial |
| ISO 27001:2022 | 5.3 Segregation of duties | Partial |
| ISO 27001:2022 | 5.4 Management responsibilities | Partial |
| ISO 27001:2022 | 5.15 Access control | Partial |
| ISO 27001:2022 | 5.31 Legal, statutory, regulatory and contractual requirements | Partial |
| ISO 27001:2022 | 5.36 Compliance with policies, rules and standards for information security | Partial |
| ISO 27001:2022 | 5.37 Documented operating procedures | Partial |
| NIST SP 800-171 Rev 3 | 03.15.01 Policy and Procedures | Partial |
Related controls
AC-01 is a foundational control, and several other controls depend on the governance structure it establishes.
- IA-01 — Policy and Procedures: Establishes the equivalent policy and procedures foundation for the Identification and Authentication control family.
- PM-09 — Risk Management Strategy: Defines the risk management strategy that directly shapes the scope and rigor of access control policies.
- PM-24 — Data Integrity Board: Oversees data integrity disputes and decisions that access control policies must account for in privacy-related systems.
- PS-08 — Personnel Sanctions: Defines consequences for personnel who violate access control policies, reinforcing policy enforcement.
- SI-12 — Information Management and Retention: Governs how long access control records and policy documents must be retained and managed.
Frequently asked questions
What is NIST SP 800-53 AC-01
AC-01 is the NIST SP 800-53 control that requires organizations to develop, document, disseminate, and periodically review a formal access control policy and supporting procedures. The policy must address purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance with applicable laws. A designated official must own the policy lifecycle, and procedures must describe how access controls are actually implemented rather than restating control requirements.
What happens if AC-01 is not implemented
Without AC-01, your organization lacks the governance foundation for every other access control. Auditors will flag the absence as a finding, and the gap can trigger certification withdrawal in FedRAMP assessments or regulatory action under FISMA. The downstream effect is significant: without documented policy and procedures, controls like account management, access enforcement, and separation of duties have no authoritative basis, creating cascading failures across the entire Access Control family.
How do you audit AC-01
Auditors verify AC-01 by examining the access control policy and procedures documents for completeness against the required elements: purpose, scope, roles, responsibilities, management commitment, coordination, and legal compliance. They review policy review records and update history to confirm the organization meets its defined review frequency. Interviews with the designated official and key personnel validate that dissemination occurred and that staff understand the policy.
In practice, assessment checks also include comparing written procedures to observed access control practices and confirming that triggering events, such as audit findings or incident responses, resulted in documented policy updates.
Is NIST SP 800-53 AC-01 mandatory
Whether AC-01 is mandatory depends on your organization’s regulatory context. Federal agencies must implement it under FISMA, and any organization seeking FedRAMP authorization is required to demonstrate compliance with AC-01 as part of the NIST 800-53 compliance checklist. Private-sector organizations aren’t directly bound by NIST SP 800-53, but many adopt it voluntarily as a comprehensive security framework or encounter it through contractual requirements when working with federal customers.
In practice, the governance discipline AC-01 represents, maintaining formal access control policies and procedures, is expected across most compliance frameworks regardless of mandate.