The access controls of subjects with certain privileges (i.e., access permissions) are not restricted from being passed to any other subjects, either directly or indirectly.
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.