ACR-3.15v1.0

Tool access policies SHALL be versioned and changes require documented approval.

Domain

03 — Domain 3: Tool and API Governance

Eval Method

EIEvidence Inspection

Risk Weight

3 / 10

Applicability

L1L2L3

Description#

Tool access policies SHALL be versioned and changes require documented approval.

Evaluation Method#

EIEvidence Inspection

Compliance is evaluated through inspection of documentary evidence including architecture documents, configuration artifacts, and operational records.

Evidence Requirements#

The following evidence artifacts must be provided to demonstrate compliance with this control:

Level Applicability#

Level	Applicable	Implication
L1	No	Not evaluated at L1. This control applies at higher certification levels only.
L2	No	Not evaluated at L2.
L3	No	Not evaluated at L3.

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-3.14: The system SHALL detect and reject tool responses containing injection payloads or anomalous data pa Next →ACR-3.16: The system SHALL support tool access revocation that takes effect immediately upon authorization cha

Tool access policies SHALL be versioned and changes require documented approval.

Description#

Evaluation Method#

Evidence Requirements#

Level Applicability#

Classification#