AC-14 Permitted Actions Without Identification Or Authentication

Access Control

Low Moderate High

Description

The organization identifies and documents specific user actions that can be performed on the information system without identification or authentication.

Supplemental Guidance

The organization allows limited user activity without identification and authentication for public websites or other publicly available information systems (e.g., individuals accessing a federal information system at http://www.firstgov.gov). Related security control: IA-02.

Enhancements

(1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives.

MITRE ATT&CK Techniques (1)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Persistence 1

Persistence

T1137.002 Office Test

Compliance Mappings

ISO 27002:2022

5.15

COBIT 2019

DSS05

NIS2 Directive

Art. 21(2)(i)

MAS TRM

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.11SecNumCloud.10.1

FINMA Circular 2023/1

IV.B.d(59)

OSFI B-13

B-13.3.2

EU GDPR

Art.25(2)

EU DORA

Art.9(4)(c)

BIO2

5.15

RBI CSF

Annex1.8

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

CBB TM

TM-6

Qatar NIA

CBUAE

CR-4

CBE CSF

CTO-1

BoG CISD

CISD-VIII

HIPAA Security Rule

§164.312(a)(2)(ii)

BOT Cyber Resilience

Ch2.2

CMMC 2.0

Lloyd's Minimum Standards

MS8.3

FDA Cybersecurity Guidance

SA-1

ISO 27799

9.2

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

None.