AC-14 Permitted Actions Without Identification or Authentication

Description

This Control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems.

Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received.

Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use.

This Control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred.

Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

Applicability

The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.

The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.

Implementation

TAMU-CC Custodians shall:

  1. Not permit users to perform any action on an information system without identification or authentication. The sole exception to this is Kiosk workstations; and
  2. Document and provide supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

The TAMU-CC identifies, documents, and provides supporting rationale in the security plan for any actions that may be performed on an information system without identification or authentication.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events