Step 2 - Conduct a Policy Analysis
Conducting a policy analysis will help you better understand the existing access control expectations and limitations, the selection and implementation of access control measures, and supporting enablers to protect your agency’s resources. Understanding your policies across the enterprise will help you update existing policies and draft new ones to support your agency’s access control needs.
Checklist
Analyze existing policies. Review your agency’s access management policies to determine if they are aligned with the broader access control goals and objectives. This will help you determine if your agency should develop new policies to enforce appropriate access control requirements agency-wide.
Establish baseline access control policies. You should establish baseline access control policies that define minimum security requirements at the enterprise level. This helps you establish access control standards for protecting agency resources across the enterprise. Below are a few access control management policy examples.
| Issue Policy Memorandum: Continued Implementation of HSPD-12 | Enforcing use of the PIV card for physical and logical access and acceptance of PIV credentials issued by other federal agencies. |
| Issue Policy/Guidance Addressing Common Physical Scenarios and Common Logical Access Scenarios | Formal agency-level decisions for handling common physical and logical access scenarios such as a lost/forgotten PIV card or forgotten personal identification number (PIN). |
| Issue Policy/Guidance Addressing Standardization of Local Facility Access Cards | Policy or procedural guidance for establishing a standard local facility access card and providing guidance around when and how they are issued. |
| Issue Policy/Guidance Addressing Visitor Management | Procedural guidance for establishing what types of credentials are considered acceptable for granting physical access to visitors, including individuals who are not PIV card holders (e.g., escort procedures). |