AC-23: Data Mining Protection

NIST SP 800-53 Revision 5 Access Control Medium Risk

What this control requires

AC-23 requires organizations to deploy specific techniques that detect and prevent unauthorized data mining across designated data storage objects. The control targets the gap between legitimate analytical queries and unauthorized pattern extraction, a distinction most organizations don’t draw until sensitive data has already been reassembled from seemingly harmless query results.

In practice, this requirement means defining which databases, data warehouses, and record stores contain information worth protecting from mining, then selecting and applying prevention and detection techniques calibrated to each store’s risk profile. Techniques range from limiting query frequency and restricting response types to applying differential privacy or homomorphic encryption. The goal is to raise the work factor an attacker or insider needs to extract meaningful patterns from organizational data stores, a challenge the NIST SP 800-53 framework overview addresses in greater detail.

But the harder challenge is authorization. Before any data mining activity takes place, whether by internal analytics teams or automated systems, organizations must confirm the activity is authorized under applicable laws, executive orders, and internal policy. The privacy risks escalate sharply when the information being mined includes personally identifiable information, and organizations must consult the senior agency official for privacy and legal counsel before proceeding.

Why it matters

Most organizations treat database access control as a solved problem. They authenticate the user, authorize the query, and log the result. AC-23 exposes a blind spot in that model.

Specifically, a user with legitimate read access can still extract sensitive patterns through repeated, targeted queries that individually look routine. A single query returning a filtered list of employees is unremarkable, but a sequence of queries, each filtering on a different attribute, can reconstruct personnel records, salary distributions, health conditions, or security clearance status without triggering a traditional access violation.

In practice, this reconstruction pattern is precisely what insider threat programs mandated under Executive Order 13587 are designed to detect. AC-23 exists to close the gap between authorized read access and unauthorized pattern extraction at the data store level.

The consequence is audit exposure. For organizations subject to NIST SP 800-53 compliance requirements, a missing AC-23 implementation signals a gap in both data protection and privacy governance, two areas that auditors increasingly treat as inseparable. Failure to maintain this control may result in certification withdrawal, regulatory findings, or loss of authorization to operate.

What attackers exploit

• Incremental query reconstruction: Running hundreds of narrowly scoped queries to reassemble restricted datasets without triggering bulk-access alerts.
• Insider data exfiltration: Authorized users mining organizational data stores to collect information for theft, espionage, or competitive advantage.
• Analytical tool misuse: Business intelligence and reporting tools used beyond their authorized scope to correlate sensitive fields across databases.
• API-based extraction: Programmatic queries against database APIs that bypass front-end query limits and monitoring.
• Privacy inference attacks: Combining de-identified datasets with external information to re-identify individuals.

How to implement

The most common failure mode for AC-23 is treating it as a database security control when it’s actually a data governance control. Organizations that bolt query monitoring onto existing database access controls without defining which data stores require protection, and which mining activities are authorized, consistently fail audits.

For your organization

Step 1: Inventory protected data storage objects. Catalog all databases, data warehouses, data lakes, and structured record stores that contain sensitive, proprietary, or personally identifiable information. Assign each a risk classification that determines the level of mining protection required.

Step 2: Define authorized data mining activities. Work with privacy counsel and the senior agency official for privacy to document which analytical activities are authorized, by whom, under what conditions, and for what purposes. This authorization framework becomes your baseline for detecting unauthorized mining.

Step 3: Select and deploy detection and prevention techniques. The following techniques map to different risk profiles.

• Query throttling: Limit the number and frequency of database queries per user, role, or session to increase the work factor for pattern extraction.
• Response restriction: Limit the types and granularity of responses to database queries, for example, returning aggregated results instead of individual records.
• Differential privacy: Apply mathematical noise to query results so individual records can’t be reconstructed from aggregate outputs.
• Anomaly detection: Configure alerts for atypical query patterns, including unusual volumes, off-hours access, or queries targeting fields not associated with a user’s role.

Step 4: Integrate with the insider threat program. AC-23 directly supports the insider threat program required under PM-12. Ensure that data mining detection feeds into insider threat monitoring so anomalous query behavior triggers investigation rather than just logging.

Step 5: Document and review. Maintain a data mining protection policy, update it annually, and include data mining scenarios in your security awareness program.

Common mistakes:

• Protecting production databases but ignoring analytics replicas, staging environments, or data warehouses that contain the same sensitive data.
• Relying solely on database audit logs without active query analysis or anomaly detection.
• Failing to define authorized mining activities, which makes it impossible to distinguish unauthorized mining from routine analytics. Organizations working through the full Access Control family often discover this gap during their first internal review.
• Treating AC-23 as an IT-only control when it requires privacy, legal, and business unit involvement. Building a comprehensive NIST SP 800-53 program requires cross-functional ownership from the start.

For your vendors

What to ask in a security questionnaire

• Does the vendor maintain a policy governing authorized and unauthorized data mining activities?
• What techniques does the vendor employ to detect and prevent unauthorized data mining against your data?
• Does the vendor limit query frequency, response types, or apply differential privacy techniques to data stores containing your information?
• Is the vendor’s data mining protection integrated with an insider threat monitoring program?

What evidence to request

• Data mining protection policy and procedures documentation.
• Configuration evidence showing query throttling, response restrictions, or differential privacy applied to relevant data stores.
• Audit logs demonstrating monitoring for atypical database access patterns.
• Insider threat program documentation showing data mining detection as an input.

Red flags

• The vendor can’t identify which data stores contain your information or how they’re protected from mining.
• No documented policy distinguishing authorized from unauthorized data mining.
• Database audit logs exist but aren’t actively analyzed for anomalous query patterns.
• The vendor treats security questionnaire responses about data mining as not applicable, despite storing structured data on your behalf.

How to verify beyond self-attestation

Request a live demonstration of query monitoring capabilities or independent audit reports that cover database access controls and anomaly detection. Cross-reference the vendor’s insider threat program documentation with their data mining protection procedures to confirm integration.

Evidence examples

For a broader view of evidence requirements across the Access Control family, see the NIST 800-53 compliance checklist.

Cross-framework mapping

No applicable content for this control.

Related controls

• PM-12, Insider Threat Program: Establishes the organizational insider threat program that AC-23 data mining detection feeds into, ensuring anomalous query behavior triggers investigation and response.
• PT-02, Authority to Process Personally Identifiable Information: Governs the authorization framework for processing PII, which directly determines whether data mining activities involving personal information are permitted under AC-23.
• AU-13, Monitoring for Information Disclosure: Monitors for organizational information that may have been mined or obtained from data stores and is available on external sites, complementing AC-23’s internal data store protections.
• AC-03, Access Enforcement: Enforces approved authorizations for logical access to information and system resources, providing the foundational access layer that AC-23 builds upon with mining-specific protections.
• AU-06, Audit Record Review, Analysis, and Reporting: Reviews and analyzes system audit records for indications of inappropriate or unusual activity, directly supporting AC-23’s requirement to detect atypical database query patterns.

Frequently asked questions

What is NIST SP 800-53 AC-23?

AC-23 is the NIST SP 800-53 control that governs how organizations protect data stores from unauthorized pattern extraction through analytical queries. Unlike most access controls that gate who can read data, AC-23 addresses what authorized users can infer by mining it repeatedly. The control sits outside all three standard baselines (Low, Moderate, High), which means it applies only when an authorizing official explicitly selects it or when privacy requirements mandate protection of personally identifiable information against mining. Organizations must consult the senior agency official for privacy before permitting any data mining activity involving PII.

What happens if AC-23 is not implemented?

Without AC-23, organizations have no systematic defense against insiders or compromised accounts reconstructing sensitive datasets through incremental queries. The absence directly weakens the PM-12 insider threat program, since unauthorized data mining is a primary exfiltration technique that insider threat detection must cover. In practice, this control gap means that an organization can pass traditional access control audits while remaining fully exposed to pattern-extraction attacks that exploit authorized read permissions.

How do you audit AC-23?

Auditors assess AC-23 by examining the organization’s data mining protection policy, verifying that protected data storage objects are inventoried and classified, and testing whether deployed techniques such as query frequency limits, response type restrictions, or differential privacy mechanisms are actively enforced. They review system audit logs for evidence that atypical database queries trigger notifications and investigation. Auditors also interview personnel responsible for privacy governance to confirm that authorized data mining activities are documented and that the senior agency official for privacy has been consulted on mining authorizations.

What techniques satisfy AC-23 data mining protection requirements?

NIST guidance identifies four primary technique categories, and auditors expect organizations to select and combine them based on the sensitivity of each data store. The selection decision hinges on whether the primary risk is external query abuse (where query throttling and response restriction raise the work factor) or internal pattern reconstruction (where differential privacy and homomorphic encryption prevent record-level inference even from authorized users). Most implementations that pass audit combine at least two technique categories with atypical-access notifications as a detection backstop.