Navigate

CCI-000232

CCI-000232 Definition

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification and authentication.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - user actions not requiring identification or authentication are documented in the security plan for the system. - a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification or authentication; system configuration settings and associated documentation; security plan; list of user actions that can be performed without identification or authentication; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000232.

Control	Description
AC-14	a: Identify [user actions that can be performed on the system without identification or authentication are defined;] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Control

Description

AC-14

a: Identify [user actions that can be performed on the system without identification or authentication are defined;] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

b: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.