zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-05 09:21:54 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/ac-14.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

2.9 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

ac-14 - [catalog] Permitted Actions Without Identification or Authentication

Control Statement

  • [a] Identify user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

  • [b] Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Control guidance

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none."

Control assessment-objective

user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified; user actions not requiring identification or authentication are documented in the security plan for the system; a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item ac-14_smt.a

Implementation b.

Add control implementation description here for item ac-14_smt.b