Navigate

PS-6

PS-6: Access Agreements

a: Develop and document access agreements for organizational systems;

b: Review and update the access agreements [the frequency at which to review and update access agreements is defined;] ; and

c: Verify that individuals requiring access to organizational information and systems:
- 1: Sign appropriate access agreements prior to being granted access; and
- 2: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [the frequency at which to re-sign access agreements to maintain access to organizational information is defined;].

Supplemental

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
PR.DS-5, PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-6.

Control	Description
AC-17	a: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b: Authorize each type of remote access to the system prior to allowing such connections.
PE-2	a: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b: Issue authorization credentials for facility access; c: Review the access list detailing authorized facility access by individuals [frequency at which to review the access list detailing authorized facility access by individuals is defined;] ; and d: Remove individuals from the facility access list when access is no longer required.
PL-4	a: Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b: Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c: Review and update the rules of behavior [frequency for reviewing and updating the rules of behavior is defined;] ; and d: Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [one or more of "{{ insert: param, pl-04_odp.03 }} "/"when the rules are revised or updated"].
PS-2	a: Assign a risk designation to all organizational positions; b: Establish screening criteria for individuals filling those positions; and c: Review and update position risk designations [the frequency at which to review and update position risk designations is defined;].
PS-3	a: Screen individuals prior to authorizing access to the system; and b: Rescreen individuals in accordance with [one of ].
PS-6	a: Develop and document access agreements for organizational systems; b: Review and update the access agreements [the frequency at which to review and update access agreements is defined;] ; and c: Verify that individuals requiring access to organizational information and systems: 1: Sign appropriate access agreements prior to being granted access; and 2: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [the frequency at which to re-sign access agreements to maintain access to organizational information is defined;].
PS-7	a: Establish personnel security requirements, including security roles and responsibilities for external providers; b: Require external providers to comply with personnel security policies and procedures established by the organization; c: Document personnel security requirements; d: Require external providers to notify [personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;] ; and e: Monitor provider compliance with personnel security requirements.
PS-8	a: Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b: Notify [personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;] within [the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
SA-21	Require that the developer of [the system, systems component, or system service that the developer has access to is/are defined;]: a: Has appropriate access authorizations as determined by assigned [official government duties assigned to the developer are defined;] ; and b: Satisfies the following additional personnel screening criteria: [additional personnel screening criteria for the developer are defined;].
SI-12	Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Enhancements

The controls below (if any) add on to the requirements of PS-6.

Control	Description
PS-6(1)
PS-6(2)	Verify that access to classified information requiring special protection is granted only to individuals who: (a): Have a valid access authorization that is demonstrated by assigned official government duties; (b): Satisfy associated personnel security criteria; and (c): Have read, understood, and signed a nondisclosure agreement.
PS-6(3)	(a): Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b): Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

Related CCIs

The CCIs below are tied to PS-6.

CCI	Definition
CCI-001532	Review and update the access agreements for organizational systems in accordance with organization-defined frequency.
CCI-001533	Defines the frequency with which to review and update access agreements for organizational systems.
CCI-003035	Develop and document access agreements for organizational systems.
CCI-004513	Verify that individuals requiring access to organizational information sign appropriate access agreements prior to being granted access.
CCI-004514	Verify that individuals requiring access to organizational systems sign appropriate access agreements prior to being granted access.
CCI-004515	Verify that individuals requiring access to organizational information re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
CCI-004516	Verify that individuals requiring access to organizational systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
CCI-004517	Defines the frequency for individuals requiring access to organizational information to re-sign access agreements.
CCI-004518	Defines the frequency for individuals requiring access to organizational systems to re-sign access agreements.