>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS-6Access Agreements

LI-SaaS
Low
Moderate
High

>Control Description

a

Develop and document access agreements for organizational systems;

b

Review and update the access agreements organization-defined frequency; and

c

Verify that individuals requiring access to organizational information and systems:

1.

Sign appropriate access agreements prior to being granted access; and

2.

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

b
at least annually
c
2.
at least annually and any time there is a change to the user's level of access

>Discussion

Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

>Cross-Framework Mappings

SCF

HRS-06
Compare
HRS-06.1
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern access agreements for organizational personnel and third parties?
  • What specific security and privacy responsibilities are documented in access agreements?
  • Who reviews and approves access agreements?
  • How frequently are access agreements reviewed and re-signed?
  • What governance exists for ensuring access agreements are current and enforced?

Technical Implementation:

  • What systems capture and store signed access agreements?
  • How are users prevented from accessing systems without signed agreements?
  • What technical controls enforce re-acknowledgment of updated agreements?
  • How are access agreement status integrated with identity management systems?
  • What audit trails exist for access agreement signing and updates?

Evidence & Documentation:

  • Provide current access agreement templates used by the organization.
  • Provide signed access agreements for all personnel with system access.
  • Provide evidence that access is prevented until agreements are signed.
  • Provide records of access agreement updates and re-acknowledgment.
  • Provide audit trails showing access agreement signing dates.

Ask AI

Configure your API key to use AI features.