Navigate

PS-6

PS-6: Access Agreements

The organization:

a: Develops and documents access agreements for organizational information systems;

b: Reviews and updates the access agreements [one of ]; and

c: Ensures that individuals requiring access to organizational information and information systems:
- 1: Sign appropriate access agreements prior to being granted access; and
- 2: Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [one of ].

Supplemental

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.DS-5, PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-6.

Control	Description
PL-4	The organization: a: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c: Reviews and updates the rules of behavior [one of ]; and d: Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
PS-2	The organization: a: Assigns a risk designation to all organizational positions; b: Establishes screening criteria for individuals filling those positions; and c: Reviews and updates position risk designations [one of ].
PS-3	The organization: a: Screens individuals prior to authorizing access to the information system; and b: Rescreens individuals according to [one of ].
PS-4	The organization, upon termination of individual employment: a: Disables information system access within [one of ]; b: Terminates/revokes any authenticators/credentials associated with the individual; c: Conducts exit interviews that include a discussion of [one of ]; d: Retrieves all security-related organizational information system-related property; e: Retains access to organizational information and information systems formerly controlled by terminated individual; and f: Notifies [one of ] within [one of ].
PS-8	The organization: a: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b: Notifies [one of ] within [one of ] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Enhancements

The controls below (if any) add on to the requirements of PS-6.

Control	Description
PS-6(1)
PS-6(2)	The organization ensures that access to classified information requiring special protection is granted only to individuals who: (a): Have a valid access authorization that is demonstrated by assigned official government duties; (b): Satisfy associated personnel security criteria; and (c): Have read, understood, and signed a nondisclosure agreement.
PS-6(3)	The organization: (a): Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b): Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

Related CCIs

The CCIs below are tied to PS-6.

CCI	Definition
CCI-001531	The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
CCI-001532	Review and update the access agreements for organizational systems in accordance with organization-defined frequency.
CCI-001533	Defines the frequency with which to review and update access agreements for organizational systems.
CCI-003035	Develop and document access agreements for organizational systems.
CCI-003036	The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
CCI-003037	The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.