myctrl.tools
Compare

MP-6(7)Dual Authorization

>Control Description

Enforce dual authorization for the sanitization of organization-defined system media.

>Cross-Framework Mappings

SCF

DCH-09.5
Compare

>Supplemental Guidance

Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions.

Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.

>Related Controls

AC-3
MP-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of MP-6(7) (Dual Authorization)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring MP-6(7)?
  • How frequently is the MP-6(7) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures MP-6(7) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce MP-6(7) requirements.
  • What automated tools, systems, or technologies are deployed to implement MP-6(7)?
  • How is MP-6(7) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce MP-6(7) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of MP-6(7)?
  • What audit logs, records, reports, or monitoring data validate MP-6(7) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of MP-6(7) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate MP-6(7) compliance?

Ask AI

Configure your API key to use AI features.