The organization:
 (a)   Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
 (b)   Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

Supplemental Guidance:  The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7.

References :

https://issues.redhat.com/browse/CMP-120

Work to do:

• Check if any RBAC rule validation needs to done for roles and permissions.
• Update control response.