AC-14(1) — Necessary Uses

For any action you allow without authentication, document exactly why it is necessary. There should be a clear business or mission justification for every exception.

Example 1: In your SSP, create a table listing each unauthenticated action, the system it applies to, the justification (e.g., "Public website must be accessible to potential customers"), and the approving authority. Review this table during every annual SSP update.

Example 2: For network services, document why DNS, DHCP, and NTP are available without authentication (they must be for the network to function). Ensure these services are hardened — for example, restrict DNS zone transfers to authorized secondary servers only using allow-transfer in your BIND or Windows DNS config.