AC-14-727 Permitted Actions without Identification or Authentication

Permitted Actions without Identification or Authentication

AC-14-727
Permitted Actions without Identification or Authentication
Access Control
LOW, MOD, HIGH
P3
Yes
August 17, 2016

All actions on internal information resources shall require an Agency-issued identifier that must be presented to the information resource before any actions may be permitted. Publicly accessible information resources do not require an identifier for those functions which are accessible to the public. All other functions shall be treated as an internal information resource.

During an emergency access to information will not be available or will be disclosed to unauthorized parties.
The organization: a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
Emergency IDs have only selective administrative ability.
The state organization identifies, documents, and provides supporting rationale in the security plan for any actions that may be performed on an information system without identification or authentication.
Obtain access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; other relevant documents or records and ascertain if the organization identifies and documents specific user actions that can be performed on the information system without identification or authentication.