In AP Cybersecurity, MAC (Mandatory Access Control) is an access control model where a central authority assigns security labels to data and clearances to users, and the system, not individual owners, enforces who can read or modify each resource.
MAC stands for Mandatory Access Control. It's an access control model where a central policy, set by an administrator or the system itself, decides who gets to touch what. The key word is mandatory: regular users can't hand out their own permissions, even to files they created. The system enforces the rules from the top down.
Here's the intuitive version. Think of classified government files. A document gets a label like "Secret" or "Top Secret," and you get a clearance level. You can only open a file if your clearance matches or beats its label, and no one below you can override that. That clearance-and-label setup is exactly how MAC works. It sits inside the broader access control picture in Unit 4, alongside the question of authentication (proving who you are) versus authorization (deciding what you're allowed to do once you're in).
MAC lives in Unit 4: Securing Devices, connected to topic 4.2 Authentication and the surrounding access control concepts. Authentication mechanisms (covered in [AP Cybersecurity 4.2.C]) prove a user's identity using factors like something they know, have, or are. MAC picks up where authentication stops. Once the system knows who you are, MAC decides what that identity is cleared to access. The big theme here is the CIA triad, especially confidentiality: MAC's whole job is making sure sensitive data only reaches people with the right clearance. Understanding MAC also clarifies why MFA and strong login settings matter ([AP Cybersecurity 4.2.B], [AP Cybersecurity 4.2.D]): if an attacker steals one account, MAC limits the damage to whatever that account was cleared to see.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryDAC (Discretionary Access Control) (Unit 4)
DAC is MAC's opposite. In DAC, the owner of a file decides who else gets access, like sharing a Google Doc and adding people yourself. In MAC, you can't do that even if you want to, because a central authority controls everything.
Bell-LaPadula model (Unit 4)
Bell-LaPadula is the classic blueprint for how MAC enforces confidentiality. Its 'no read up, no write down' rules are literally MAC's clearance-and-label logic written out as formal rules.
RBAC and RuBAC (Unit 4)
These are other access control models you'll compare against MAC. RBAC ties permissions to job roles and RuBAC ties them to rules or conditions, while MAC ties them to security labels and clearances set by a central authority.
Authorization (Unit 4)
MAC is one way to implement authorization. Authentication confirms you are who you claim to be, then authorization (via a model like MAC) decides exactly what you're permitted to access.
Expect MAC to show up in multiple-choice questions that ask you to match a scenario to the right access control model. A stem describing a system where a central authority assigns clearances and security labels, and where users cannot change permissions on their own files, is pointing straight at MAC. You'll often need to tell MAC apart from DAC, RBAC, and RuBAC in the same question. No released FRQ has used the term MAC verbatim, but knowing it strengthens any answer about protecting confidentiality and limiting an attacker's access after a compromised login.
MAC and DAC are constantly mixed up because they're both access control models, but they answer 'who decides?' in opposite ways. In MAC, a central authority decides and users have no discretion. In DAC, the resource owner has the discretion to grant or deny access. If the scenario says users can share their own files, it's DAC; if a system enforces fixed clearances no one can override, it's MAC.
MAC stands for Mandatory Access Control, a model where a central authority, not individual users, decides who can access each resource.
MAC works through security labels on data and clearances on users, so you can only access something if your clearance matches its label.
MAC is the opposite of DAC, where the file's owner gets to decide who else has access.
MAC primarily protects confidentiality, the part of the CIA triad focused on keeping sensitive data away from unauthorized people.
Authentication proves who you are, while MAC handles authorization, deciding what you're allowed to do once you're verified.
MAC stands for Mandatory Access Control, an access control model where a central authority assigns security labels to data and clearances to users. Users can't change permissions themselves; the system enforces who can read or modify each resource.
MAC has a central authority make all access decisions, and users have no power to share their own files. DAC (Discretionary Access Control) lets the owner of a resource decide who gets access, like adding people to a shared document. The simple test: if the user can grant access, it's DAC; if only the system can, it's MAC.
No. That's a common mix-up because of the acronym. MAC here means Mandatory Access Control, which is about authorization (what you can access). Multifactor authentication is about proving your identity using multiple factors. They're related but solve different problems.
MAC appears in Unit 4: Securing Devices, near topic 4.2 Authentication and the access control models. You'll likely see it in multiple-choice questions asking you to identify the right model from a scenario, often contrasted with DAC, RBAC, and RuBAC.
MAC protects confidentiality by keeping access decisions out of users' hands, which is critical for highly sensitive data like classified government files. It also limits damage if one account is compromised, since a stolen login only reaches whatever its clearance allows.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.