1. Home
  2. FedRAMP
  3. PS-6

BRACKETOLOGY | FEDRAMP

PS-6: ACCESS AGREEMENTS

  • FedRAMP Baseline Membership PS-6:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Develops and documents access agreements for organizational information systems;
    • b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
    • c. Ensures that individuals requiring access to organizational information and information systems:
      1. Sign appropriate access agreements prior to being granted access; and
      2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Develops and documents access agreements for organizational information systems;
  • b. Reviews and updates the access agreements at least annually; and
  • c. Ensures that individuals requiring access to organizational information and information systems:
    1. Sign appropriate access agreements prior to being granted access; and
    2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [at least annually.

The organization:

  • a. Develops and documents access agreements for organizational information systems;
  • b. Reviews and updates the access agreements at least annually; and
  • c. Ensures that individuals requiring access to organizational information and information systems:
    1. Sign appropriate access agreements prior to being granted access; and
    2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [at least annually.

The organization:

  • a. Develops and documents access agreements for organizational information systems;
  • b. Reviews and updates the access agreements at least annually; and
  • c. Ensures that individuals requiring access to organizational information and information systems:
    1. Sign appropriate access agreements prior to being granted access; and
    2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [at least annually.

SUPPLEMENTAL GUIDANCE

Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

CONTROL ENHANCEMENTS

PS-6 (1) ACCESS AGREEMENTS | INFORMATION REQUIRING SPECIAL PROTECTION

[Withdrawn: Incorporated into PS-3].

PS-6 (2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION

The organization ensures that access to classified information requiring special protection is granted only to individuals who:

    • (a) Have a valid access authorization that is demonstrated by assigned official government duties;
    • (b) Satisfy associated personnel security criteria; and
    • ( c) Have read, understood, and signed a nondisclosure agreement.

Supplemental Guidance:

Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

PS-6 (3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS

The organization:

    • (a) Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
    • (b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

Supplemental Guidance:

Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

REFERENCES:

  • NO REFERENCES