📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / PS

PS-6 Access Agreements

Family PS
Baselines moderate
Mapped KSIs 3

Control statement

a. Develop and document access agreements for organizational systems;
    b. Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and
    c. Verify that individuals requiring access to organizational information and systems:
        1. Sign appropriate access agreements prior to being granted access; and
        2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-CED-03Development and Engineering Training
_Persistently_ review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.
Cybersecurity Education
KSI-IAM-04Just-in-Time Authorization
Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.
Identity and Access Management
KSI-IAM-05Least Privilege
_Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.
Identity and Access Management