Access Agreements
Personnel Security
NIST Control Text
Develop and document access agreements for organizational systems;
Review and update the access agreements [Assignment: organization-defined frequency]; and
Verify that individuals requiring access to organizational information and systems:
Sign appropriate access agreements prior to being granted access; and
Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency].
NIST Discussion
Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.
Parameter Values
Assignment (frequency - review/update): Annually
Assignment (frequency - re-sign): Upon SenL designation change, upon rescreening per PS-3, when agreements are updated, or annually
SL5 Supplemental Guidance
Access agreements scale with Sensitivity Level. SenL-1/2 include standard NDA and monitoring acknowledgment. Higher tiers add progressively stricter obligations: foreign contact reporting and secondary employment restrictions (SenL-3), dual authorization acknowledgment and travel notification (SenL-4), custodian-specific protocols and post-employment restrictions (SenL-5). Complete tier-specific requirements are in the SenL Framework Document [26].