02 – Authorized User Identification & Provisioning Policy

 

02 – Authorized User Identification & Provisioning Policy

Prepared by: [Name ----------------]
Organization: [company name]

1. Purpose

This policy establishes the framework for identifying, approving, and provisioning users, devices, and processes that require access to organizational resources. It ensures compliance with CMMC AC. L1‑3.1.1, supports secure onboarding and role assignment, and mandates timely deprovisioning. It also requires that all accounts and devices be documented in the System Security Plan (SSP) and linked to supporting SOPs for audit readiness.

2. Scope

This policy applies to:

  • All employees, contractors, and authorized third parties requiring system access.
  • All devices (Windows, macOS, Linux, laptops, mobile, servers) connecting to enterprise networks.
  • All service accounts and automated processes requiring authorization.

3. Roles & Responsibilities

  • Policy Owner: Oversees provisioning processes, ensures compliance, and reports status to leadership.
  • HR & Managers: Initiate onboarding requests, validate business need, and approve access levels.
  • IT Security Team: Create identities in IAM platforms (e.g., Entra ID, Google IAM), assign roles via RBAC, enforce device compliance through MDM/Intune, and configure Conditional Access.
  • System Owners: Validate service account requirements and approve exceptions.
  • Users: Operate only with authorized accounts and report anomalies promptly.

4. Policy Statements

  • All users must be uniquely identified before access is granted.
  • Accounts must be provisioned through approved IAM workflows.
  • Devices must meet compliance requirements (enrollment, encryption, antivirus).
  • Service accounts must be documented, approved, and restricted to least privilege.
  • Access removal must occur within 24 hours of termination or role change.
  • Shared accounts are prohibited unless explicitly approved and monitored.

5. Provisioning Workflow

Onboarding

  • HR submits request → Manager approval → IT creates IAM account.
  • Role assigned via RBAC matrix.
  • Device enrolled in MDM/Intune.

Role Assignment

  • Standard roles defined in RBAC policy.
  • Privileged roles require PIM or equivalent approval.

Deprovisioning

  • Triggered by HR separation notice.
  • Account disabled within 24 hours.
  • Device wiped via MDM/Intune if applicable.

6. Enforcement

  • IAM (e.g., Entra ID, Google IAM): Identity provisioning, group membership, RBAC enforcement.
  • MDM/Intune: Device compliance enforcement.
  • RBAC/PIM: Role assignment and least privilege enforcement.
  • Conditional Access: Block non‑compliant devices and enforce MFA.

7. Monitoring

  • Automated joiner/mover/leaver logs maintained by IT Security.
  • Device inventory maintained in MDM/Intune.
  • Quarterly audit of service accounts documented in compliance repository.

8. References

9. SSP, SOP, and Evidence Mapping

  • SSP Mapping: Directly maps to CMMC AC. L2‑3.1.1 under User Identification & Provisioning.
  • SOP Mapping: Supporting SOPs include User Onboarding SOP, RBAC Assignment SOP, Service Account SOP, and Deprovisioning SOP.
  • Evidence Required:

End of Policy – AC 02
Date Created: [   /   /   ]


https://www.blogger.com/u/1/blog/post/edit/preview/4293395378927152575/8599171593827593266



Comments

Post a Comment

Popular posts from this blog

NIST CSF 2.0 to CMMC Level 1: A Practical Crosswalk for Audit-Ready Compliance

NIST CSF 2.0 Meets CMMC Level 1: A Practical Crosswalk for Compliance Architects By Rana Jahandad Khan Cybersecurity frameworks often feel like parallel universes, each with its own language, structure, and expectations. But what if you could align two major frameworks with a single set of controls? That’s exactly what I set out to do with this crosswalk between NIST Cybersecurity Framework 2.0 and CMMC Level 1 . Whether you're preparing for a defense audit or building a scalable security program, this mapping helps you satisfy both frameworks without duplicating effort.      Why This Crosswalk Matters NIST CSF 2.0 introduces a new Govern function, elevating cybersecurity to a strategic, enterprise-level concern. CMMC Level 1 focuses on foundational security practices for contractors handling Federal Contract Information (FCI). By aligning the two, you can build once and comply twice, saving time, reducing risk, and strengthening audit posture. NIST CSF 2.0 →...
Read more

How to Upgrade from Windows 11 Home to Pro (Step-by-Step)

Image
  Upgrading from Windows 11 home edition to 11 Pro   Go to   Settings   System (Left panel)   Activation (type in Find a setting)   Select Activation Settings (like in window below)       Then, upgrade your edition of Windows, shown below     N ext , if you have a 25-digit Activation key, click the first  option on picture below and change the Key     Otherwise, Select the second option to Open Store     This would upgrade your current OS to pro.  
Read more

The Ultimate Compliance Folder Structure: How I Built an Audit-Ready System from Scratch

  How I Built a Bulletproof Compliance Folder—From Chaos to Clarity Introduction In the world of compliance, clarity is currency. Scattered evidence, reactive documentation, and unclear roles don’t just slow audits—they erode trust. As a systems architect and compliance lead, I’ve spent years refining a folder structure that transforms chaos into clarity. This post outlines the architecture behind my CMMC Level 1 evidence system, designed to be scalable, hash-verifiable, and audit-ready. The Problem: Fragmented Evidence and Reactive Workflows Most compliance environments suffer from: Disorganized folders with no naming conventions Evidence stored in multiple formats across disconnected locations Lack of cross-referencing between policies, screenshots, and enforcement logs No hash integrity or tamper-proof tracking These issues lead to failed audits, user confusion, and leadership frustration. The Solution: A Nested, Referenced, and Role-Aware Folder System I designe...
Read more