The organization: AC-1a.
Develops, documents, and disseminates to Assignment: organization-defined personnel or roles: AC-1a.1.
An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AC-1a.2.
Procedures to facilitate the implementation of the access control policy and associated access controls; and AC-1b.
Reviews and updates the current: AC-1b.1.
Access control policy Assignment: organization-defined frequency; and AC-1b.2.
Access control procedures Assignment: organization-defined frequency.