Information Systems Security Controls Guidance: Access Authentication

Access Authentication – Section 11(c)(9)(ii)

Section 11(c)(9)(ii) requires the entity to “ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user’s roles and responsibilities change or when their access to select agents and toxins is suspended or revoked.”
The entity must ensure that:

• • Only authenticated users are granted access to BSAT related information.
  • Authenticated and authorized users only have access to BSAT related information that is specifically related to the work that they do.
  • All BSAT related information and information storage (files, computers, hard drives, and other storage devices) are accessible only by authenticated and authorized users.
  • Access is modified in in the event that a user’s role changes or when access to BSAT is suspended or revoked.

Things that generally meet these requirement include:

• Domain passwords (Microsoft login)
• Work station passwords
• Two-factor identification (CAC/PIV + __)
• Fingerprint or other biometric security features