1901 Access Control Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1901

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

To establish and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components that limit access to information assets to only those individuals that are authorized to obtain it. The objective of this policy is to address the considerations that will help to ensure that the DHS IT resources and information systems are properly protected against unauthorized access, while meeting the access requirements for all authorized users. Critical to achieving this objective is the implementation of controls that address each of the requirements stated in this policy.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Access Control

Access control is a way of limiting access to a system or to physical or virtual resources. In computing, access control is a process by which users are granted access and certain privileges to systems, resources or information.

Least Privilege

Least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

Role-based Access Control (RBAC)

Role-based Access Control (RBAC) is a method of access security that is based on a person’s role within a business or group.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Access Control standards that constitute this policy. Each DHS Business System is bound to this policy and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

AC-1 Access Control Policy and Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level access control policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the access control policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the access control policy and procedures; and

  3. Review and update the current access control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

AC-2 Account Management

  1. Define and document the types of accounts allowed and specifically prohibited for use within the system;

  2. Assign account managers;

  3. Require conditions for group and role membership;

  4. Specify:

    1. Authorized users of the system;

    2. Group and role membership; and

    3. Access authorizations (i.e., privileges) and other attributes (as required) for each account.

  5. Require approvals by the system owner or designated representative for requests to create accounts;

  6. Create, enable, modify, disable, and remove accounts in accordance with agency account management procedures prerequisites;

  7. Monitor the use of accounts;

  8. Notify account managers and designated agency official within:

    1. 24 hours when accounts are no longer required;

    2. 8 hours when users are terminated or transferred; and

    3. 8 hours when system usage or need-to-know changes for an individual;

  9. Authorize access to the systems based on:

    1. A valid access authorization;

    2. Intended system usage;

    3. Under the authority to re-disclose FTI under the provisions of IRC 6103.

    4. Under the authority to re-disclosed SSA data;

  10. Review accounts for compliance with account management requirements annually for user account and at least every ninety (90) days for privileged accounts;

  11. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

  12. Align account management processes with personnel termination and transfer processes.

AC-2 (1) Automated System Account Management:

Support the management of system accounts using automated mechanisms.

AC-2 (2) Removal of Temporary and Emergency Accounts:

Automatically disable and remove temporary and emergency accounts after two (2) business days.

AC-2 (3) Disable Accounts:

Disable accounts within 120 days when the accounts:

  1. Have expired;

  2. Are no longer associated to a user or individual;

  3. Are in violation of organizational policy; or

  4. Have been inactive for 120 days for non-privileged accounts and 60 days for privileged accounts

AC-2 (4) Automated Audit actions:

Automatically audit system account creation, modification, enabling, disabling, and removal actions.

AC-2 (5) Inactivity Logout: FOR CLOUD ENVIRONMENT ONLY

The organization requires that users log out when the time-period of inactivity will exceed twenty-four (24) hours.

AC-2 (7) Privileged User Accounts:

  1. Establish and administer privileged user accounts in accordance with a role-based access scheme; an attribute-based access scheme

  2. Monitor privileged role or attribute assignments;

  3. Monitor changes to roles or attributes; and

  4. Revoke access when privileged role or attribute assignments are no longer appropriate.

AC-2 (9) Restrictions on Use of Shared and Group Accounts:

Only permit the use of shared and group accounts that meet agency-defined conditions for establishing shared and group accounts.

AC-2 (12) Account Monitoring for Atypical Usage:

  1. Monitor system accounts for agency-defined atypical usage; and

  2. Report atypical usage of system accounts to agency-defined personnel or roles, and if necessary, any applicable incident response team(s).

AC-2 (13) Disable Accounts for High-Risk Individual:

Disable accounts of users posing a significant risk within one (1) hour of discovery of the risk.

AC-3 Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

IRS.1:

Users having accounts with administrator access privileges may access those accounts only from agency-owned or authorized contractor systems.

AC-3 (7) Role-Based Access Controls (RBAC):

The organization information system must enforce a role-based access control policy over defined subjects and objects and controls access based upon the need to utilize SSA data.

AC-3 (8) Revocation of Access Authorization:

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on organization-defined rules governing the timing of revocations of access authorizations.

AC-3 (9) Controlled Release:

Release information outside of the system only if:

  1. The receiving system accessing, processing, storing, or transmitting CUI provides regulatory compliance standards such as IRS 1075, NIST 880-53, and CMS MARS-E required protections; and

  2. Agency-defined controls, regulatory compliance requirements, FedRAMP ATO are used to validate the appropriateness of the information designated for release.

AC-3 (11) Restrict Access to Specific Information Types:

Restrict access to data repositories containing CUI.

AC-3 (14) Individual Access:

Provide organization-defined mechanisms to enable individuals to have access to the following elements of their Personally Identifiable Information (PII): PII / Protected Health Information (PHI) elements defined in applicable security/privacy plans.

AC-4 Information Flow Enforcement

Enforce approved authorizations for controlling the flow of CUI information within the system and between interconnected systems based on the technical safeguards in place to protect CUI.

AC-4 (21) Physical/Logical Separation of Information Flows:

The information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish logical or physical separation of information flows.

AC-5 Separation of Duties

  1. Identify and document separate duties of individuals to prevent harmful activity without collusion; and

  2. Define system access authorizations to support separation of duties.

AC-6 Least Privilege

The agency continuously utilizes the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AC-6 (1) Authorize Access to Security Functions:

At a minimum, the organization explicitly authorizes access to the following list of security functions (deployed in hardware, software, and firmware) and security-relevant information:

  1. Setting/modifying audit logs and auditing behavior;

  2. Setting/modifying boundary protection system rules;

  3. Configuring/modifying access authorizations (i.e., permissions, privileges);

  4. Setting/modifying authentication parameters; and

  5. Setting/modifying system configurations and parameters.

AC-6 (2) Non-Privileged Access for Non-Security Functions:

At a minimum, the organization requires that users of information system accounts, or roles, with access to the following list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audit any use of privileged accounts, or roles, for such functions:

  1. Setting/modifying audit logs and auditing behavior;

  2. Setting/modifying boundary protection system rules;

  3. Configuring/modifying access authorizations (i.e., permissions, privileges);

  4. Setting/modifying authentication parameters; and

  5. Setting/modifying system configurations and parameters.

IRS.1:

Prohibit accounts with administrative privileges (including local administrator rights) from web browsing and other Internet connections outside of the local protected boundary unless such risk is accepted in writing by the agency’s CISO.

IRS.2:

Block accounts with administrative privileges (including local administrator rights) from access to email unless such risk is accepted in writing by the agency’s CISO.

AC-6 (5): Privileged Accounts:

Restrict privileged accounts on each system to persons/roles expressly authorized by the Agency.

AC-6 (6): Privileged Access by Non-Organizational Users:

Prohibit privileged access to the system by non-organizational users.

AC-6 (7): Review of User Privileges:

  1. Review no less often than every ninety (90) days the privileges assigned to CUI to validate the need for such privileges; and

  2. Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

AC-6 (8): Privilege Levels for Code Execution:

Prevent the following software from executing at higher privilege levels than users executing the software: agency-defined software.

AC-6 (9): Auditing Use of Privileged Functions:

Audit the execution of privileged functions.

AC-6 (10): Prohibit Non-privileged Users from Executing Privileged Functions:

Prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-7 Unsuccessful Login Attempts

  1. Enforce a limit of three (3) consecutive invalid logon attempts by locking out the user ID is limited to no more than three consecutive unsuccessful attempts during a 120 minute period; and

  2. Automatically lock the account for 15 minutes or until released by an administrator when the maximum number of unsuccessful attempts is exceeded.

AC-7 (2): Purge or Wipe Mobile Device:

Purge or wipe information from mobile devices based on agency-defined purging or wiping requirements and techniques after ten (10) consecutive, unsuccessful device logon attempts.

AC-8 System Use Notification

  1. Display a warning banner to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, standards, policies and guidelines and state that:

    1. Users are accessing a U.S. Government System

    2. System usage may be monitored, recorded, and subject to audit;

    3. Unauthorized use of the system is prohibited and subject to criminal and civil sanctions; and

    4. Use of the system indicates consent to monitoring and recording.

  2. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

  3. For publicly accessible systems:

    1. The CUI-approved warning banner is displayed on the information system screen prior to granting further access

    2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities and

    3. Include a description of the authorized uses of the system.

AC-10 Concurrent Session Control

The information system limits the number of concurrent sessions for each system account to one (1) session for both normal and privileged users. The number of concurrent application/process sessions is limited and enforced to the number of sessions expressly required for the performance of job duties and any requirement for more than one (1) concurrent application/process session is documented in the security plan.

AC-11 Session Lock

  1. Prevent further access to the system by initiating a device lock after 15 minutes of inactivity; requiring the user to initiate a device lock before leaving the system unattended; and

  2. Retain the device lock until the user re-establishes access using established identification and authentication procedures.

AC-11 (1): Pattern-Hiding Displays:

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

AC-12 Session Termination

Automatically terminate a user session after 30 minutes of inactivity.

AC-12 (1): User-Initiated Logouts:

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to systems accessing, processing, storing, or transmitting CUI.

AC-12 (2): Termination Message:

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

AC-12 (3): Timeout Warning Message:

Display an explicit message to users indicating that the session will end in an organization-defined time until end of session.

AC-14 Permitted Actions without Identification or Authentication

  1. Identify specific user actions that can be performed on the system without proper identification and authentication consistent with organizational mission and business functions and

  2. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification and authentication.

AC-17 Remote Access

  1. Establish and document usage restrictions, configuration/connection requirements and implementation guidance for each type of remote access allowed; and

  2. Authorize each type of remote access to the system prior to allowing such connections.

AC-17 (1) Monitoring and Control:

Employ automated mechanisms to monitor and control remote access methods.

AC-17 (2) Protection of Confidentiality and Integrity Using Encryption:

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC-17 (3) Managed Access Control Points:

Route remote accesses through authorized and managed network access control points.

AC-17 (4) Privileged Commands and Access:

  1. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: compelling operational needs defined by the agency; and

  2. Document the rationale for remote access in the security plan for the system.

AC-17 (9) Disconnect or Disable Access:

Provide the capability to disconnect or disable remote access to the system within 15 minutes.

AC-18 Wireless Access

  1. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and

  2. Authorize each type of wireless access to the system prior to allowing such connections.

AC-18 (1) Authentication and Encryption:

Protect wireless access to the system using authentication of both users, devices and encryption.

AC-18 (3) Disable Wireless Networking:

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

IRS.1:

Guest wireless networks operated by or on behalf of the agency, data center or vendor managed facilities must be completely logically separate from all other secured internal networks.

IRS.2:

Monitor for unauthorized wireless access to the information system and enforce requirements for wireless connections to the information system.

IRS.3:

Employ security mechanisms for wireless networks consistent with the sensitivity of the information to be transmitted. FIPS 140 validated encryption must be employed in all wireless networks used to access CUI and/or manage an CUI environment.

IRS.4:

Perform both attack monitoring and vulnerability monitoring on the wireless network to support WLAN security.

AC-19 Access Control for Mobile Devices

  1. Establish configuration requirements, connection requirements and implementation guidance for organization-controlled mobile devices to include when such devices are outside of controlled areas; and

  2. Authorize the connection of mobile devices to organizational systems.

AC-19 (5): Full Device and Container-Based Encryption:

Employ full-device encryption using the latest FIPS 140 validated encryption on areas where CUI resides to protect the confidentiality and integrity of information on agency-owned mobile devices and mobile devices that are part of a BYOD implementation. POA&M findings must be documented and tracked when no such encryption technology solutions are available to address a specific device.

AC-20 Use of External Information Systems

  1. Establish terms and conditions, consistent with the trust relationships established with other organizations owning, operating and/or maintaining external systems, allowing authorized individuals to:

    1. Access the system from external systems; and

    2. Process, store, or transmit CUI data using external systems; or

  2. Prohibit the use of non-agency managed external systems.

AC-20 (1) Use of External Systems:

Limits on Authorized use Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

  1. Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or

  2. Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

AC-20 (2) Portable Storage Devices -Restricted Use:

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organizational-defined policy.

AC-20 (3) Non-Organizationally Owned Systems and Components -Restricted Use:

  1. Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using regulatory compliance requirements.

  2. Use of contractor-owned devices must be documented within the contract and the system security plan, employ information security and privacy protections appropriate for the sensitivity of the data, and be approved by the Authorizing Official (AO) in advance; and

  3. Use of personally owned devices must comply with organizational policies and directives on use of personally owned information systems and components.

  4. Security and privacy safeguards are employed that are appropriate for the sensitivity of the data; and

  5. Implements either full-device or virtual container encryption to reduce the vulnerability to sensitive information processed, stored, or transmitted by non-organizationally owned systems or system components (devices).

IRS.1:

Approval by the agency CISO is required for connection of non-government furnished or contractor-owned IT devices (including USB-connected portable storage and mobile devices) to agency-owned systems or networks receiving, processing, storing, accessing, protecting and/or transmitting FTI. This requirement does not apply to networks and systems intended for use by the general public.

AC-20 (5) Portable Storage Devices -Prohibited Use:

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

AC-21 Information Sharing

  1. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information sharing circumstances where user discretion is required and permitted by IRC 6103; and

  2. Employ automated mechanisms or manual processes compliant with IRC § 6103 to assist users in making information sharing and collaboration decisions.

AC-22 Publicly Accessible Content

  1. Designate individuals authorized to make information publicly accessible;

  2. Train authorized individuals to ensure that publicly accessible information does not contain sensitive data.

  3. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

  4. Review the content on the publicly accessible system for nonpublic information at a minimum bi-weekly (no less often than fourteen [14] days) and remove such information, if discovered.

AC-23: Data Mining Protection

Employ agency-defined data mining prevention and detection techniques for agency-defined data storage objects to detect and protect against unauthorized data mining.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.