AC-1 - Policy and Procedures

AC-1 requires an organization to create, document, and distribute an access control policy and the procedures that support it. The policy defines the overall framework for managing access to information systems, and the procedures detail how the policy will be implemented, maintained, and reviewed.