NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-6 — Access Agreements
Develop and document access agreements for organizational systems; Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and Verify that individuals requiring access to organizational information and systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.
Supplemental Guidance
Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.
Practitioner Notes
Before granting access to your systems, require every user to read and sign an access agreement that explains their responsibilities — acceptable use policies, security rules, and the consequences of violations.
Example 1: Draft an access agreement that covers acceptable use, password responsibilities, data handling rules, monitoring consent, and consequences of misuse. Require every new employee and contractor to sign it before receiving their account credentials. Re-sign annually.
Example 2: Use Microsoft Entra ID Terms of Use policies to require users to accept your access agreement every time they log in or at defined intervals. If they decline, access is blocked. Entra tracks acceptance status so you have an auditable record of who agreed and when.