| This guidance is intended for Information Assurance Managers/Officers or System Administrators tasked with insuring that only those personnel cleared for the level of information processed by the system, and the requisite need to know, are granted access to the system for processing purposes: |
1. Identify types of sensitive (i.e., non-classified) information processed by the system.
2. For each person assigned to the organization and requiring processing privileges on the system, ensure that access authorization is provided by the organizational Security Officer in the form of a document clearly stating that the user has undergone the required background investigation for access to sensitive information, is cleared accordingly, and has been authorized access to the information on a need-to-know basis.