Uniquely identify and authenticate organizational users and associate that unique identification with actions performed on the system.

Section 3 of this control is not intended to apply to workstation (desktop/laptop) operating system interactive (in-person) logons.


  • This Control applies to all Texas A&M information resources. The intended audience for this Control includes all owners and custodians of information resources.


  • 1

    Information resources shall be configured to uniquely identify and authenticate all users of university information resources (See Control AC-2, Account Management).

    • 1.1

      Users must be uniquely identified and authenticated before the information resource may grant that user access.

    • 1.2

      Unique identification of individuals in group accounts (e.g. shared privilege accounts) may need to be considered for additional accountability of activity.

  • 2

    Multi-factor authentication should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.

  • 3

    Multi-factor authentication is required for any information resource that stores or processes Confidential or Critical data.