base control objective:
a. Ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; and
b. Reviews/updates the access agreements [Assignment: organization-defined frequency].
supplemental objective information:
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with the information system to which access is authorized. Electronic signatures are acceptable for use in acknowledging access agreements unless specifically prohibited by organizational policy.
enhancements to the base objective:
(1) The organization ensures that access to information with special protection measures is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties; and
(b) Satisfy associated personnel security criteria.
Enhancement Supplemental Guidance: Information with special protection measures includes, for example, privacy information, proprietary information, and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.
(2) The organization ensures that access to classified, national security information with special protection measures is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; and
(c) Have read, understand, and signed a non-disclosure agreement.
Enhancement Supplemental Guidance: Examples of special protection measures include, for example, collateral, Special Access Program (SAP) and Sensitive Compartmented Information (SCI).
mapping to FIPS199 baseline:
related (regimented) controls:
documents referenced in SP800-53rev3 for PS-06: