|
AC.L1-3.1.1
Authorized Access Control
|
FAR 52.204-21(b)(1)(i) — Limit information system access to authorized users, processes acting on behalf of authorized users, or devices. |
Active Directory / Microsoft 365 account provisioning per named employee. Workstation login requires individual credentials. Shared accounts prohibited on any system that touches FCI. |
Account-provisioning record, joiner/mover/leaver log, workstation policy. |
|
AC.L1-3.1.2
Transaction & Function Control
|
FAR 52.204-21(b)(1)(ii) — Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
Role-based access groups on file shares and ERP. Admin rights restricted to a named subset; standard users cannot install software or alter system configuration. |
Role-permission matrix, file-share ACL export. |
|
AC.L1-3.1.20
External Connections
|
FAR 52.204-21(b)(1)(iii) — Verify and control/limit connections to and use of external information systems. |
Outbound business-service connections (banking, ERP, email) are vetted and documented. No personal cloud-storage or removable-media writes from FCI-handling endpoints. |
Approved-services list, USB-policy enforcement record. |
|
AC.L1-3.1.22
Public Information Posting
|
FAR 52.204-21(b)(1)(iv) — Control information posted or processed on publicly accessible information systems. |
Public website and social channels are reviewed before publication. Customer-controlled material, drawings, FCI, or any program-identifying information is never published. |
Marketing approval workflow, public-posting policy. |
|
IA.L1-3.5.1
Identification
|
FAR 52.204-21(b)(1)(v) — Identify information system users, processes acting on behalf of users, or devices. |
Each employee assigned a unique user account. Service accounts named and inventoried. No shared logins on FCI-handling systems. |
User-account inventory, service-account register. |
|
IA.L1-3.5.2
Authentication
|
FAR 52.204-21(b)(1)(vi) — Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access. |
Password complexity policy enforced via Group Policy. Multi-factor authentication (MFA) required on all remote access and on Microsoft 365. |
GPO export, MFA enrollment report. |
|
MP.L1-3.8.3
Media Disposal
|
FAR 52.204-21(b)(1)(vii) — Sanitize or destroy information system media containing FCI before disposal or release for reuse. |
Retired hard drives are wiped to NIST SP 800-88 Clear/Purge level or physically destroyed. Removable media containing FCI is destroyed in-house. |
Media-destruction log with serial numbers and dates. |
|
PE.L1-3.10.1
Limit Physical Access
|
FAR 52.204-21(b)(1)(viii) — Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
Facility locked outside business hours. Production floor accessible only via badged or key entry. Server hardware in locked space. |
Facility access policy, key/badge issuance log. |
|
PE.L1-3.10.3
Escort Visitors
|
FAR 52.204-21(b)(1)(ix) — Escort visitors and monitor visitor activity. |
Visitors sign in at reception, receive a badge, and are escorted at all times in production, inspection, and office areas. |
Visitor log, escort policy. |
|
PE.L1-3.10.4
Physical Access Logs
|
FAR 52.204-21(b)(1)(x) — Maintain audit logs of physical access. |
Visitor sign-in records retained per the document-control procedure. Reviewed periodically as part of internal audit. |
Retained visitor log, document-control retention record. |
|
PE.L1-3.10.5
Manage Physical Access
|
FAR 52.204-21(b)(1)(xi) — Control and manage physical access devices. |
Keys and access badges are issued, tracked, and recovered on employee separation. Lost badges deactivated immediately. |
Badge issuance/recovery log, separation checklist. |
|
SC.L1-3.13.1
Boundary Protection
|
FAR 52.204-21(b)(1)(xii) — Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems. |
Business-grade firewall at network perimeter with default-deny inbound. Outbound filtering on known-malicious categories. |
Firewall rule-set export, perimeter diagram. |
|
SC.L1-3.13.5
Public-Access System Separation
|
FAR 52.204-21(b)(1)(xiii) — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Public-facing services (website, guest Wi-Fi) are logically separated from the internal shop network. Guest Wi-Fi cannot reach internal subnets. |
Network segmentation diagram, VLAN configuration. |
|
SI.L1-3.14.1
Flaw Remediation
|
FAR 52.204-21(b)(1)(xiv) — Identify, report, and correct information and information system flaws in a timely manner. |
OS and application updates applied on a managed schedule. Critical security patches prioritized. |
Patch-management report, monthly status summary. |
|
SI.L1-3.14.2
Malicious Code Protection
|
FAR 52.204-21(b)(1)(xv) — Provide protection from malicious code at appropriate locations within organizational information systems. |
Endpoint protection deployed on every workstation and server. Email gateway scans attachments and URLs. |
Endpoint deployment report, EDR console export. |
|
SI.L1-3.14.4
Update Malicious Code Protection
|
FAR 52.204-21(b)(1)(xvi) — Update malicious code protection mechanisms when new releases are available. |
Automatic signature/definition updates configured. Engine updates applied per vendor cadence. |
EDR update-status report. |
|
SI.L1-3.14.5
System & File Scanning
|
FAR 52.204-21(b)(1)(xvii) — Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
Real-time scanning enabled. Scheduled full-system scans run weekly. Removable-media scans on insertion. |
Scheduled-scan log, scan-result summaries. |