Does your authorization system consider contextual attributes such as geolocation, time of access, or device security posture when making access decisions?
Explanation
Context-aware authorization enhances security by evaluating not just who is requesting access, but also the circumstances of the request. For example, your system might deny access to sensitive data when requested from an unusual location, outside business hours, or from a device that doesn't meet security requirements.
Evidence of implementation could include documentation of your authorization policy rules showing contextual factors, screenshots of configuration settings in your identity management system that enable attribute-based access control, or logs demonstrating access decisions that were influenced by contextual attributes.
Implementation Example
Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint's cyber health)
ID: PR.AA-05.208
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

