9-4.1 Types of Accountability

Accountability for access to information resources must be established at the site, network, and the individual level.

9-4.1.1 Site Accountability

Site accountability associates users or information resources with a specific location. Site accountability is established by issuing a site identification number or code (site ID) that is restricted by system hardware or software to a unique system, network, or terminal address in a controlled environment.

9-4.1.2 Network Accountability

Network accountability associates users or information resources with a specific network or logical subnet to a network. Network accountability is established by issuing a network identification number or code (network ID) or through the network address.

9-4.1.3 Individual Accountability

Individual accountability associates each user or information resource (e.g., a workstation or terminal) with any action on an information resource. Individual accountability is established by issuing a unique user or log-on identification number or code (i.e., user ID or log-on ID). Machine accountability may be established for a specific information resource through its workstation address or other identifier. All information resources must be capable of individual accountability and must do the following:

  1. Identify information resources each time they attempt to log-on to the system.
  2. Verify that information resources are authorized to use the system.
  3. Associate all actions taken by an information resource with that resource’s unique identifier (i.e., resource ID or log-on ID).