NIST 800-53 AC-14

Permitted Actions without Identification or Authentication

Return to master list of NIST 800-53 controls.

Automated Inspection items for NIST SP 800-53 AC-14 assessment.

Automated Inspection items are efficient enough that they can usually be part of a CA-7 Continuous Monitoring program on a daily (or in some cases hourly) basis, simultaneously meeting the requirements of RA-5 Vulnerability Scanning. While NIST 800-53 allows Continuous Monitoring results to be used for CA-2 Security Assessments and CA-4 Security Certification, a separate run using the same automated Inspection items in combination with more laborious items for CA-2 and CA-4 adds no significant burden.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide automated Inspection items as follows:

NIST SP 800-53 R2 AC-14
Description  Automated Tests
Any username with a null primary password shall be captive.
(UAF,PWDNULL,CAPTIVE)
No terminal shall auto-login to a no-password username.
(TERM,AUTOLOGIN,NOPASSWORD)
No terminal shall auto-login to a non-captive username.
(TERM,AUTOLOGIN,NONCAPTIVE)
No terminal shall auto-login to a privileged username.
(TERM,AUTOLOGIN,ABSOLUTHI)
No terminal shall have an unauthorized auto-login entry.
(TERM,AUTOLOGIN,ENTRY)
No unauthorized Username is set up to allow automatic login.
(UAF,AUTOLOGIN,PROHIBITED)
(UAF,AUTOLOGIN,REQUIRED)

Interview questions for NIST SP 800-53 AC-14 assessment.

Interview questions are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Interview questions in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-14(1)
POLSTAFF

Manual Inspection items for NIST SP 800-53 AC-14 assessment.

Manual Inspection items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Inspection items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-14
POLICY
NIST SP 800-53 R2 AC-14(1)
POLICY

Manual Invasive Testing items for NIST SP 800-53 AC-14 assessment.

Manual Invasive Testing items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring. The level of effort required and the degree of invasiveness are so high (in most cases making up for lack of Common Criteria evaluation) that arrangement as a Common Control is almost always a requirement for execution.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Invasive Testing items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 AC-14
TEST_VMS_NOLOGIN

Descriptions above apply to  LJK/Security™ Version 3.0.

The notation NIST SP 800-53 above refers in particular to NIST Special Publication 800-53 Revision 2.

Those NIST Special Publications specify security standards in support of FISMA for US Federal Government civil activities.

Return to master list of NIST 800-53 controls.

Valid HTML 4.01! Viewable with Any Browser