AC.L1-B.1.I
Authorized Access Control

FCI Data

Security Requirement

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

States that access to restricted resources is based on roles, using authentication. Users must protect credentials.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-01 - Identities are managed for authorized users, processes, and devices.
  • Protect (PR): PR.AA-03 - Access to assets and associated facilities is limited to authorized users, processes, and devices.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List your process for ensuring that only authorized users have access. Include processes for onboarding, offboarding, and regularly auditing access.
  • List the technical controls used for limiting access to systems to only authorized staff
  • List the Process for approving devices that are allowed to connect to USU systems
  • List any additional process or procedures you have that helps meet the control’s security requirement.

Document How

  • authorized users are identified
  • processes acting on behalf of authorized users are identified
  • devices (and other systems) authorized to connect to the system are identified
  • system access is limited to authorized users
  • system access is limited to processes acting on behalf of authorized users
  • system access is limited to authorized devices (including other systems)

Example

quote block

Machines are managed by USU IT according to the desktop management initiative. Each employee is issued a unique A# with specific password requirements that must be used to log on to all computers and systems that store FCI. Multi-Factor Authentication (MFA) is required for all SSO-enabled services. Employees using wireless to connect to USU systems must use eduroam, which provides an encrypted session. Remote connections must be made from USU-managed computers and require the use of GlobalProtect VPN, which provides an encrypted secure connection to USU systems.

quote block

Entra ID (Azure AD) & Active Directory

What it does:
  • Provides centralized identity and access management for users and devices.
How it helps a researcher:
  • Research staff are assigned unique A#-based user accounts managed through Entra ID and USU Active Directory.
  • Access to research systems, files, and software can be granted only to specific users or groups using security groups.
  • Device authentication can be enforced through device join status and compliance policies.
  • Role-based access can be implemented using security groups mapped to job functions or project roles.
Example:
  • A researcher can be placed in an AD group like USU-FCI-ProjectAlpha, which grants them access only to folders or applications related to that specific research contract.

Institutional VPN solution

What it does:
  • Provides encrypted remote access to USU’s internal network and restricts access to university-managed devices.
How it helps a researcher:
  • VPN access is restricted to approved USU accounts and devices that meet compliance checks.
  • Access to internal systems containing FCI is only available once connected through VPN.
  • Ensures data-in-transit is encrypted, especially for off-campus researchers or collaborators.
Example:
  • A researcher uses their USU-issued laptop to connect via the institutional VPN solution. The system checks that the device has endpoint protection and current updates before allowing access to the lab network.

Box.com for institutional data storage

What it does:
  • Cloud-based file storage approved for FCI with fine-grained access control.
How it helps a researcher:
  • FCI can be stored securely in Box folders with permissions limited to specific users.
  • Sharing can be disabled externally to ensure only USU-authenticated users can view or modify the data.
  • Access logging and version history help maintain integrity and auditability.
Example:
  • A research team creates a Box folder named “NSF-Project-123-FCI.” Access is restricted to project members using their A# accounts. External sharing is disabled, and MFA is enforced through Entra SSO.

MFA for all SSO-enabled services

What it does:
  • Requires a second factor (typically via phone app or hardware token) to verify identity during login.
How it helps a researcher:
  • Protects against unauthorized account access, especially from phishing or stolen credentials.
  • Enforced automatically for all USU Single Sign-On services (e.g., Box, Office 365, VPN access).
  • Ensures that even if a researcher’s password is compromised, their account remains protected.
Example:
  • When a researcher logs in to Box.com or connects to VPN, they’re prompted to approve the login via the Microsoft Authenticator app on their phone.

USU Group Management

What it does:
  • Allows creation and maintenance of security groups used to manage access to systems and data.
How it helps a researcher:
  • IT or project managers can create project-specific groups (e.g., for a contract with FCI requirements).
  • Researchers are added or removed based on role or project membership.
  • Access to shared drives, Box folders, VPN routes, or software tools can be automated via group membership.
Example:
  • A PI requests a group named USU-FCI-DOE-2024, adds their team members, and uses the group to control access to a secured file share and email distribution list.

Enterprise firewall and intrusion prevention system (IPS)

What it does:
  • Enforces network segmentation and limits unauthorized connections to internal systems.
How it helps a researcher:
  • Departmental systems storing FCI are placed behind firewalls that block all traffic except from authorized sources (e.g., campus IP, VPN, or specific subnet).
  • Researchers accessing FCI systems must do so from managed networks or VPN endpoints.
  • Firewall logs can be reviewed to verify access patterns and detect anomalies.
Example:
  • A research server storing FCI is on a segmented VLAN only accessible through VPN. Firewall rules restrict traffic to only required services and IPs, ensuring unauthorized users or devices cannot connect.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Look at your policies, login screens, account settings, or system configuration to see how access is limited.
  • Interview:
    • Ask staff questions like: “How do you make sure only the right people get in?” or “What do you do when someone leaves?”
  • Test:
    • Try logging in as a new person or on a new device to see if the system follows the rules.

Objects (examples of items you could present to the auditor)

  • Access Control Policy: A document that says who is allowed in and how they get in.
  • User Account Lists: A list of people who have logins to your systems.
  • Device Lists: A list of approved computers or devices.
  • System Configurations: Screenshots or settings that show how your login system works.
  • Audit Logs: Computer records showing who logged in and when.
  • Offboarding Checklist: A list of things you do when someone leaves - like removing their access.