Name: Episode 13_Permitted Actions Without Identification and Authentications_ (AC-14)
Uploaded: 2022-12-13 01:46:29
Duration: 7 min 48 s

Question 1

What is NIST 800-53 AC-14 permitted actions without identification and authentication?

Accepted Answer

AC-14 is the control that applies when an organization allows certain system actions to be performed without unique user identification or authentication. The key is that those actions must be identified and documented, and the supporting rationale must be included in the SSP. If you don’t need any unauthenticated actions, the organization can define the value as “none.”

Question 2

Is AC-14 required for Low, Moderate, and High baselines?

Accepted Answer

Yes—AC-14 is selected across Low, Moderate, and High baselines. I call that out in the video because people sometimes assume it’s only for public systems, but it’s broader than that. The baseline selection doesn’t mean you must allow unauthenticated actions—it means you must address the control either way.

Question 3

What are examples of permitted actions without authentication under AC-14?

Accepted Answer

NIST discusses cases like accessing a public website or other publicly accessible federal systems. The idea is limited, specific actions where identification and authentication aren’t required to meet the mission. The organization still has to define exactly what those actions are and why they’re acceptable.

Question 4

Where do you document AC-14 in RMF documentation?

Accepted Answer

You document AC-14 directly in the System Security Plan (SSP). I want to see the list of actions that don’t require identification/authentication and the rationale that supports it. If it’s not in the SSP (or aligned policy documentation), it’s not defensible during assessment.

Question 5

How do you assess or test AC-14 during a Security Control Assessment (SCA)?

Accepted Answer

My approach is straightforward: obtain and examine the access control policy and procedures, then obtain and examine the SSP. I verify the permitted actions are clearly documented and that the rationale makes sense and doesn’t introduce security risk. If the rationale is weak or outdated, I call it out.

Question 6

Does AC-14 apply to sessions where a user already authenticated earlier?

Accepted Answer

No—AC-14 is not about situations where authentication already happened and isn’t repeated. It’s specifically about cases where identification and authentication have not yet occurred at all. That distinction matters when you’re scoping what’s truly “unauthenticated.”

Question 7

What should you do if the business need for unauthenticated actions no longer exists?

Accepted Answer

This is a big one: if the rationale used to be valid but isn’t anymore, you need to call it out and remove that capability. Don’t leave bypasses or unauthenticated actions in place just because they’ve always been there. Update the SSP and related documentation to reflect the current reality.

Episode 13_Permitted Actions Without Identification and Authentications_ (AC-14)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec