AC-14—Permitted Actions Without Identification or Authentication
>Control Description
Identify ⚙organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed.
Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AC-14 (Permitted Actions Without Identification Or Authentication)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AC-14?
- •How frequently is the AC-14 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AC-14?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AC-14 requirements.
- •What automated tools, systems, or technologies are deployed to implement AC-14?
- •How is AC-14 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AC-14 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AC-14?
- •What audit logs, records, reports, or monitoring data validate AC-14 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AC-14 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AC-14 compliance?
Ask AI
Configure your API key to use AI features.