NIST 800-53 REV 5 • ACCESS CONTROL

AC-14 — Permitted Actions Without Identification or Authentication

Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none."

Practitioner Notes

Some system actions may be allowed without requiring a user to log in — like viewing a public-facing webpage or accessing an emergency notification system. This control says you must identify and document exactly which actions are allowed without authentication.

Example 1: Document in your System Security Plan (SSP) every system function that does not require authentication. For a web server, this might be viewing the public homepage and the logon banner. Everything else should require authentication. Verify by testing with unauthenticated browser sessions.

Example 2: Review your firewall rules and IIS bindings to identify any services accessible without credentials. Common overlooked items include anonymous FTP access, unauthenticated SNMP, and open API endpoints. Disable anything not explicitly documented and approved in your SSP.