3.1.1

OSA maintains an Access Control Policy that defines the criteria and approval process for authorizing user access to organizational systems processing CUI. All authorized users are identified within Microsoft Entra ID in the organization's M365 GCC High tenant, which serves as the authoritative identity provider. Access is granted only after management approval and is reviewed quarterly to ensure only current, authorized personnel retain access.

The Access Control Policy must include a section that defines who qualifies as an "authorized user" of OSA's CUI system (M365 GCC High tenant). It must establish criteria for granting, reviewing, and revoking user access. It should define roles (e.g., standard user, privileged administrator), the approval authority for granting access, and the frequency of access reviews (recommend quarterly). This policy is the foundational document that the assessor will examine first for 3.1.1[a]. Cross-references: This policy also supports controls 3.1.2 (transaction/function types), 3.5.1 (identification), and 3.5.2 (authentication).

OSA follows a documented Account Management Procedure governing the full lifecycle of user accounts in Microsoft Entra ID, including provisioning, modification, and deprovisioning. New accounts are created only upon documented management approval, and terminated or transferred personnel have their accounts disabled within 24 hours of notification. The procedure ensures the authorized user list remains current and accurate.

This procedure documents the step-by-step process for: (1) requesting and approving new user accounts in M365 GCC High, (2) modifying user access when roles change, and (3) disabling/removing accounts upon separation or transfer. It should include the approval workflow, who performs the provisioning in Entra ID, how the Authorized User List is updated, and the timeline for completing each action (e.g., disable within 24 hours of separation notification). Include a section on evidence collection: maintain completed onboarding/offboarding records with management approval signatures and dates.

OSA identifies all authorized users through Microsoft Entra ID within the organization's M365 GCC High tenant. Each authorized individual is provisioned a unique Entra ID user account, which serves as the single identity for accessing all CUI systems and services. OSA maintains a current listing of all active user accounts in Entra ID, and only active, management-approved accounts exist within the tenant. User accounts are reviewed quarterly via Entra ID Access Reviews to validate continued authorization.

Step 1: Access the Authorized User List 1. Sign in to the Microsoft Entra admin center at https://entra.microsoft.us as a Global Administrator or User Administrator. 2. In the left navigation, select Users > All users. 3. This page displays every user account in the tenant — for a small organization like OSA, this is the authoritative list of authorized users. Step 2: Ensure Every Account Corresponds to an Authorized Individual 1. From the All users view, review each account to confirm it corresponds to a current, authorized employee or contractor. 2. For each user, click on the user name to view properties. Verify: - Display name matches the individual's legal or organizational name. - Job title and Department are populated (supports role-based access decisions under 3.1.2). - Account enabled is set to Yes for active users only. - Usage location is set (required for M365 GCC High license assignment). 3. Remove or disable any accounts that do not correspond to a currently authorized individual. Step 3: Disable (Do Not Delete) Departed Users 1. When a user departs, navigate to Users > All users. 2. Select the user account. 3. Click the "Block sign-in" button at the top of the user profile page and confirm. 4. Click Save. 5. This preserves audit history while immediately revoking access. 6. After the retention period defined in your policy (e.g., 90 days), the account may be deleted. Step 4: Export the User List for Documentation 1. From Users > All users, click the Download users button (top menu bar). 2. Select the format (CSV) and download. 3. Store this export as part of your quarterly access review evidence. 4. The CSV file serves as the "list of active system accounts and the name of the individual associated with each account" that an assessor will request per NIST 800-171A. Step 5: Set Up Recurring Access Reviews (Recommended — requires Entra ID Governance / P2) 1. Navigate to Identity governance > Access Reviews. 2. Click + New access review. 3. Configure: - Review type: Select "Teams + Groups" or "Applications" depending on scope. - Scope: All users. - Reviewers: Select the designated manager or security officer. - Recurrence: Quarterly. - Upon completion: Auto-apply results (disable accounts not re-approved). 4. Click Create.