Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [FedRAMP Assignment: (L) (M) (H) at least annually]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [FedRAMP Assignment: (H) at least annually and any time there is a change to the user's level of access, (L) (M) at least annually].
NIST 800-53 (r4) Supplemental Guidance
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.
NIST 800-53 (r5) Discussion
Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.
Meets Minimum Requirement:
Develop access agreements, corporate-level MAY be OK but ideally system-specific ones
Review access agreements NLT annually and produce evidence that these are being reviewed (e.g. a review log in the document)
Have individuals review and sign, with the understanding that signature is a pre-requisite for system access
Stored signed Access Agreements within the boundary or using a FedRAMP-authorized external service
Have individuals re-sign access agreements if agreements are updated or at least annually, or for (H) whenever a user's level of access changes
Best Practice:
Maintain system-specific Access Agreements
Consider specialized Access Agreements for highly-privileged roles
Encourage individuals to maintain copies of their Access Agreements
Incorporate Access Agreements into access control procedures
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review access agreements
Review evidence that access agreements are reviewed and updated
Spot inspect access agreements for specific users to ensure they were signed prior to system access
Interview users to ensure that they have signed access agreements
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse