Policy and Procedures

The AC-1 Policy and Procedures requirement forms the foundation of your access control program under FedRAMP Moderate baseline. This control establishes the governance framework that drives all subsequent access control implementations across your cloud service offering.

For Cloud Service Providers (CSPs) pursuing FedRAMP authorization, AC-1 represents more than documentation—it's the blueprint for how your organization manages, monitors, and maintains access to federal data. The control explicitly requires seven elements: purpose, scope, roles, responsibilities, management commitment, coordination, and compliance.

Most CSPs stumble on coordination and compliance elements, focusing too heavily on technical controls while neglecting the organizational aspects. Your policy must demonstrate how different teams collaborate on access control decisions and how you verify ongoing compliance with your stated procedures.

Regulatory text

Per NIST SP 800-53 Rev 5 AC-1, organizations must "Develop, document, and disseminate an access control policy and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination, and compliance."

This requirement mandates two distinct documentation artifacts:

1. An access control policy establishing organizational direction and intent
2. Procedures detailing implementation of that policy

Both documents must explicitly address all seven required elements and be formally disseminated to relevant personnel.

Who This Applies To

AC-1 applies to all Cloud Service Providers seeking or maintaining FedRAMP authorization at any impact level. Within your organization, this requirement impacts:

• Security and compliance teams responsible for policy development
• IT operations managing technical access controls
• Human resources handling personnel onboarding/offboarding
• Management providing oversight and resource allocation
• Any third parties with administrative access to your FedRAMP boundary

Federal agencies using FedRAMP-authorized services inherit this control as implemented by the CSP but may layer additional agency-specific requirements.

Step-by-Step Implementation

Phase 1: Policy Development (Days 1-30)

1. Draft the Access Control Policy

Structure your policy with these mandatory sections:

• Purpose: Define why access control matters for protecting federal data in your cloud environment
• Scope: Specify systems, data types, and personnel covered (must encompass entire FedRAMP authorization boundary)
• Roles and Responsibilities: Document who owns, implements, and monitors access control
• Management Commitment: Include signed executive statement supporting access control program with allocated resources
• Coordination: Define how security, operations, and business units collaborate on access decisions
• Compliance: Establish review cycles, audit mechanisms, and violation consequences

2. Create Implementation Procedures

Develop procedures covering:

• Account provisioning workflows
• Privilege assignment matrices
• Access review processes
• Termination procedures
• Emergency access protocols
• Audit log retention

Phase 2: Review and Approval (Days 31-60)

3. Conduct Stakeholder Review

Route draft documents through:

• Legal review for regulatory alignment
• Technical teams for feasibility validation
• Management for resource commitment
• Operations for workflow integration

4. Obtain Formal Approval

Secure written approval from:

• Chief Information Security Officer (CISO) or equivalent
• System owner for FedRAMP boundary
• Senior management demonstrating commitment

Phase 3: Dissemination and Training (Days 61-90)

5. Establish Distribution Mechanisms

• Post on internal policy portal with version control
• Create acknowledgment tracking system
• Develop role-based distribution lists

6. Conduct Training

• Develop role-specific training modules
• Document completion for all personnel with access control responsibilities
• Establish recurring training requirements

Required Evidence and Artifacts

Maintain these artifacts for FedRAMP assessment:

Artifact	Description	Update Frequency
Access Control Policy	Signed policy addressing all seven elements	Annual minimum
Access Control Procedures	Detailed implementation steps	Annual or on change
Distribution Records	Evidence of dissemination to relevant personnel	Per distribution
Training Records	Completion certificates for AC training	Per training cycle
Review Records	Documentation of periodic policy/procedure reviews	Annual
Approval Documentation	Signed approvals from required authorities	Per version

Common Exam Questions and Preparation

FedRAMP assessors typically focus on:

1. "Show me evidence of management commitment to access control"

• Have executive-signed policy readily available
• Document budget allocation for access control tools
• Show staffing dedicated to access management

2. "How do you ensure all seven required elements are addressed?"

• Create traceability matrix mapping policy sections to requirements
• Use consistent headers matching NIST terminology

3. "Demonstrate coordination between organizational entities"

• Document recurring meetings between security and operations
• Show integrated workflows crossing team boundaries
• Provide RACI matrix for access control activities

4. "How do you verify personnel received and understood the policy?"

• Maintain acknowledgment database with timestamps
• Show training completion records
• Document comprehension testing results

Implementation Mistakes to Avoid

Generic Policy Syndrome: Copying boilerplate policies without customization to your environment fails assessment. Your policy must reflect actual practices within your FedRAMP boundary.

Missing Coordination Element: Many CSPs document roles but fail to explain how teams work together. Include specific touchpoints, escalation paths, and decision-making processes.

Stale Documentation: Policies gathering dust violate the "disseminate" requirement. Implement push notifications for updates and require re-acknowledgment.

Incomplete Scope Definition: Vague scope statements create assessment findings. Explicitly list all systems, data types, and user populations within your FedRAMP authorization boundary.

Weak Compliance Mechanisms: Stating "we review annually" without evidence fails validation. Document review meetings, findings, and resulting updates.

Risk and Enforcement Context

While AC-1 rarely triggers direct enforcement actions, inadequate policy and procedures multiply risks across all technical controls. Poor AC-1 implementation manifests as:

• Inconsistent access provisioning leading to unauthorized access
• Delayed terminations creating insider threats
• Privilege creep from undefined review cycles
• Audit failures from missing procedural documentation

During FedRAMP assessments, AC-1 deficiencies often cascade into findings across multiple control families, jeopardizing authorization timelines.

90-Day Execution Plan

Immediate Actions (Week 1)

• Assign policy owner and development team
• Gather existing access control documentation
• Identify all stakeholder groups

Near-term Deliverables (Weeks 2-8)

• Complete policy draft with all seven elements
• Develop supporting procedures
• Conduct stakeholder reviews
• Create training materials

Ongoing Activities (Weeks 9-12)

• Obtain management approvals
• Execute dissemination plan
• Conduct initial training sessions
• Establish review calendar
• Implement acknowledgment tracking

Frequently Asked Questions

Can we combine our access control policy with other security policies?

Yes, you can create an overarching security policy, but ensure a dedicated section comprehensively addresses all seven AC-1 elements with sufficient detail.

How detailed should our procedures be compared to the policy?

Procedures should provide step-by-step instructions executable by operations staff, while policy states high-level objectives and requirements. Think "what and why" versus "how."

What constitutes adequate "dissemination" for FedRAMP purposes?

Email alone rarely suffices. Implement trackable distribution via policy management systems, require acknowledgment, and maintain records proving personnel received and understood the documents.

How often must we review and update our AC-1 documentation?

NIST requires review at organization-defined frequency, but FedRAMP assessors expect annual reviews minimum. Update immediately when significant changes occur to systems or operations.

Do contractor and third-party personnel need to acknowledge our policy?

Any third party with privileged access to your FedRAMP environment must acknowledge and follow your access control policy. Include this requirement in contracts.

Can we reference other documents instead of duplicating content?

Yes, but ensure referenced documents are equally controlled, available to assessors, and updated synchronously with your AC-1 documentation.