Access Control Plan

Approach basics → §4.x

Identity tooling, access-enforcement model, and the account lifecycle that everything else hangs off.

Identity and access management system of record * Authoritative identity source / IAM platform (e.g., Active Directory + Azure AD, Okta, AWS IAM, Keycloak).

Access-enforcement model — Select — RBAC (Role-Based) ABAC (Attribute-Based) RBAC with ABAC overlay DAC (Discretionary) MAC (Mandatory) Hybrid (specify in narrative) Primary access decision model. Most modern systems use RBAC or RBAC+ABAC.

Account lifecycle workflow (joiner / mover / leaver) End-to-end JML workflow: how new accounts are requested, approved, provisioned, modified on role change, and deprovisioned on departure. Mention tooling (ServiceNow, ITSM, Okta workflows) and approval thresholds.

Privileged access management (PAM) approach How privileged access is governed: standing privileges vs just-in-time, vault-based credential checkout, session recording, etc. Tooling (CyberArk, BeyondTrust, AWS SSO with permission sets, Teleport).

Identity Management → §4.x

Identity sources, lifecycle, federation, and authoritative records.

Authoritative identity source System of record for identity (e.g., 'Workday HR feeds Active Directory nightly').

Federation partners (if any)

Add item

Suggested: + Internal SSO (SAML / OIDC) + Login.gov + ID.me + DoD CAC (PIV) + Partner federation

External identity providers federated with the system. Add each via the Add button or pick from suggestions.

User populations served

Federal employees Contractors Privileged administrators Non-privileged users Service / machine accounts External partners Public / unauthenticated

Distinct populations the system authenticates. Each may have different controls applied.

Identity proofing level (NIST SP 800-63A) — Select — IAL1 (self-asserted) IAL2 (in-person or remote with verifiable evidence) IAL3 (in-person with biometric) Per NIST SP 800-63A. Most federal systems require IAL2; CUI/Secret often require IAL3.

Authenticator assurance level (NIST SP 800-63B) — Select — AAL1 (single factor) AAL2 (two factor) AAL3 (hardware-bound multi-factor) Per NIST SP 800-63B. Federal systems handling CUI typically require AAL2; privileged or classified often AAL3.

Access Enforcement → §4.x

How access decisions are made and enforced at the policy decision and enforcement points.

Policy decision point (PDP) Component that evaluates access requests against policy (e.g., 'AWS IAM', 'OPA + Rego policies', 'Application authorization layer').

Policy enforcement points (PEPs) Where decisions are enforced — load balancer, application middleware, OS-level (sudo / RBAC), database row-level security, etc.

Role definitions / catalog Where roles are defined and reviewed (e.g., 'Roles documented in iam-roles repo; reviewed quarterly by ISSO + Engineering Lead').

Attribute sources (for ABAC) If ABAC is in use, where attributes come from (HR system, IdP claims, classification labels) and how they're refreshed.

Privileged Access → §4.x

PAM tooling, just-in-time access, separation of duties, and recertification.

PAM tooling Privileged access management product / approach (e.g., CyberArk, BeyondTrust, AWS SSO permission sets, HashiCorp Vault, Teleport).

Just-in-time access approach How elevated privileges are requested and time-bound. Standing-privilege exceptions, if any.

Separation-of-duties enforcement How conflicting role pairs are prevented (e.g., 'Auditor and Production Deploy roles are mutually exclusive; enforced via Okta access policies').

Privileged access recertification cadence How often privileged role membership is reviewed and recertified by the role owner.

Session Management → §4.x

Idle timeouts, device locking, concurrent session limits.

Idle timeout before lock Time of inactivity before automatic device lock or session termination (e.g., '15 minutes for non-privileged; 5 minutes for privileged').

Lock mechanism How the lock is implemented (OS screen lock + session unlock requires re-authentication; web-app session timeout).

Session termination triggers Conditions that terminate (not just lock) a session: idle threshold, explicit logout, security event detection, account disable.

Concurrent session limits Whether and how concurrent sessions per account are limited (per role / per account-type).

Remote, Wireless, and Mobile Access → §4.x

VPN / remote-access mechanisms, wireless policy, mobile device approach.

Remote-access mechanisms How remote users connect (VPN, ZTNA, bastion host, SSH jump host) and what authentication is required (MFA, certificate, hardware token).

Remote-access monitoring How remote-access sessions are logged and monitored (SIEM rule, anomaly detection).

Wireless access policy Whether the system supports wireless access; if so, encryption requirements (WPA3 Enterprise), authentication, and segmentation.

Mobile device approach — Select — Corporate-owned, fully managed (MDM) Corporate-owned, MDM with app containerization BYOD with MAM only (app-level) BYOD with full MDM consent Mobile access not permitted

MDM / MAM tooling Tool managing mobile device policies (e.g., Intune, Workspace ONE, Jamf, Google MDM).

External System Connections → §4.x

Inventory of external systems, terms of use, and information-sharing controls.

External system connection inventory location Where the inventory of external connections is maintained (e.g., 'Boundary diagram in SSP §4.2 + ISA register in Confluence').

Terms-of-use mechanism How users acknowledge terms of use (banner / login click-through / signed AUP). References AC-8 (System Use Notification).

Information-sharing controls How information shared with external parties is controlled (DLP, watermarking, attribute-based release, ISA scope).

Identity Populations & Scopes → §2.x

Numerical and categorical scope of who accesses this system.

Total account count (approximate) Order of magnitude is fine (e.g., '~250 active accounts').

Privileged account count Number of privileged / administrative accounts.

External (non-employee) account count Contractor / partner / federated user counts.

Service / machine account count Non-human accounts used by automation, applications, or services.

Account Review & Recertification → §6.x

Cadence and process for reviewing account inventories and privilege assignments.

Account-inventory review cadence — Select — Continuous (event-driven) Weekly Monthly Quarterly Annually

Dormant-account threshold Inactivity duration that triggers disable / removal review (e.g., '30 days for privileged; 90 days for standard').

Privilege recertification process How role / privilege owners review and re-attest their members. Tooling and cadence.

Evidence-of-review storage location Where the signed / completed review records are stored.

Access Control Metrics & KPIs → §6.x

Metrics tracked to demonstrate AC control effectiveness over time.

Tracked metrics

Add item

Suggested: + % accounts reviewed within cadence + Mean time to deprovision (MTTD) on departure + % privileged accounts using MFA + Privileged account count (trend) + Dormant account count (trend) + Failed-authentication rate (trend) + % sessions terminated by idle timeout + Just-in-time elevation requests per quarter

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the AC control implementations are summarized (e.g., 'SSP §13.1').

POA&M ID prefix for AC findings Convention for AC-related POA&M items (e.g., 'POAM-AC-').

Audit-log correlation (AU-2 / AU-12) How authentication / access events are captured for the audit family. Specify SIEM index, log sources, retention.

IA family interaction AC depends on IA (Identification and Authentication) for the underlying identity proofing and authenticator strength. Reference how the two plans interact.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying AC continuous monitoring (account reviews, privileged-access metrics) to the broader ConMon plan.