1to5.ai logo icon
1to5.ai

Access Control Policy

Last Updated:

1. Purpose

This policy defines the framework for granting, managing, and revoking access to 1to5.ai's information systems and Federal Contract Information (FCI). The objective is to ensure that access is granted on a "least privilege" basis and restricted to authorized users, processes, and devices. This document supports our commitment to Cybersecurity Maturity Model Certification (CMMC) Level 1.

2. Scope

This policy applies to all 1to5.ai employees, contractors, and partners who access, process, or store FCI on company information systems. This includes the client portal, internal databases, and cloud infrastructure.

3. Policy Statements

  • AC.L1-3.1.1: Limit System Access: Access to information systems is restricted to authorized users. User accounts are created upon approval by an administrator. Access is granted based on job role and responsibilities (principle of least privilege).
  • AC.L1-3.1.2: Limit Functions: Users are only permitted to execute transactions and functions essential to their role. This is enforced through role-based access control (RBAC) in our systems, such as Firebase security rules.
  • AT.L1-3.3.1: User Identification and Authentication: All users must be uniquely identified and authenticated before accessing any system containing FCI. We utilize Firebase Authentication, which requires a unique email and a strong password (minimum 8 characters, with at least one number and one special character).
  • MP.L1-3.8.1: Media Protection: Digital and physical media containing FCI must be protected. Digital FCI is encrypted at rest and in transit. Physical media, if used, must be securely stored and disposed of.
  • PE.L1-3.10.1: Physical Access Control: Physical access to organizational systems, equipment, and storage is limited to authorized individuals. Our cloud infrastructure is hosted with major providers (e.g., Google Cloud) that maintain certified, secure data centers.
  • SC.L1-3.13.1: Boundary Protection: We monitor and control communications at the boundary of our information systems. This is managed through firewalls, security groups, and Firebase security rules that define and limit system connections.
  • SI.L1-3.14.1 & SI.L1-3.14.2: Flaw Remediation & Malicious Code Protection: We identify and correct system flaws in a timely manner. Our systems are protected by antivirus software, and we regularly apply security patches. User-uploaded files are scanned, and system activity is monitored for malicious code.

4. Roles and Responsibilities

  • Administrators: Responsible for creating user accounts, assigning privileges, and periodically reviewing access lists.
  • Users: Responsible for safeguarding their authentication credentials and reporting any suspected security incidents.

5. Enforcement

Violation of this policy may result in disciplinary action, up to and including termination of employment or contract, and legal action if applicable.

6. Contact Information

For questions regarding this policy or to report a security incident, please contact us at: contact@1to5.ai.