Skip to content

Identification & Authentication Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Identification & Authentication Policy
Framework Reference: Secure Controls Framework – Identification & Authentication (IAC)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Identification & Authentication requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to ensure that only authorized individuals access FRHC systems, covering identity lifecycle management, authentication, access control, and session management.


This standard applies to all FRHC systems, applications, and infrastructure where sensitive or regulated data—including ePHI—is processed, stored, or transmitted. It applies to all employees, contractors, vendors, and other third parties with access to FRHC systems, including both on-premises and cloud-hosted environments.


FRHC implements formal identity and access management controls governing the entire account lifecycle. All user, service, and system accounts are uniquely identifiable and provisioned only with documented managerial approval. Accounts are created only with executive or senior management approval, tracked via email, and remain linked to individual user IDs for traceability. Temporary accounts are discouraged; when required, their lifespan is documented and enforced through manual tracking by the CISO. Emergency access accounts are time-boxed and promptly removed upon expiration. Accounts are deactivated across all domains, applications, and services upon termination.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.1
  • SCF Mapping: IAC-01 (Identity & Access Management (IAM)), IAC-15 (Account Management), IAC-15.2 (Removal of Temporary / Emergency Accounts), IAC-15.9 (Emergency Accounts)

Each user is assigned a unique username following a standardized naming convention (first initial + last name, with middle initial added to resolve conflicts). FRHC enforces multi-factor authentication (MFA) for access to Microsoft 365, Azure resources, and protected networks within the Evocative datacenter. Duo MFA is used with Cisco AnyConnect for VPN-based access; Microsoft Authenticator is used for Microsoft 365. Vendor-supplied default credentials are changed during system setup, with credentials stored securely in Bitwarden.

Password policies are enforced through Active Directory Group Policy and Microsoft Entra ID:

SettingEntra ID UsersAD General UsersDomain Admins
Minimum length8810
ComplexityEnabledEnabledEnabled
Maximum age90 days90 days60 days
History1010
Minimum age5 days5 days
Lockout threshold5 attempts5 attempts5 attempts
Lockout durationEscalating30 min30 min
  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.2
  • SCF Mapping: IAC-02 (Identification & Authentication for Organizational Users), IAC-06 (Multi-Factor Authentication (MFA)), IAC-09 (Identifier Management (User Names)), IAC-10 (Authenticator Management), IAC-10.8 (Default Authenticators)

3.3 Role-Based Access Control & Least Privilege

Section titled “3.3 Role-Based Access Control & Least Privilege”

FRHC enforces role-based access via Active Directory security groups across multiple domains. Each role is granted only the minimum necessary access to perform job duties, with access assignments documented for all roles. Privileged users are restricted to specific administrative functions within required domains, and access is provided only to those with a verified business need. Only system administrators are authorized to use privileged utility programs, and execution is restricted to assigned access rights.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.3
  • SCF Mapping: IAC-08 (Role-Based Access Control (RBAC)), IAC-16 (Privileged Account Management (PAM)), IAC-20 (Access Enforcement), IAC-20.3 (Use of Privileged Utility Programs), IAC-21 (Least Privilege), IAC-28 (Identity Proofing (Identity Verification)), IAC-28.1 (Management Approval For New or Changed Accounts)

User provisioning and de-provisioning requests are initiated by executive leadership via email to the CISO and IT team. Upon role change, Active Directory group assignments are updated to reflect the new role, removing access no longer required and adding newly required access. Termination notices trigger immediate deactivation of all domain and application-specific accounts, including PatientRemedi and Credit Balance.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.4
  • SCF Mapping: IAC-07 (User Provisioning & De-Provisioning), IAC-07.1 (Change of Roles & Duties), IAC-07.2 (Termination of Employment)

The CISO performs quarterly reviews of all administrative accounts, group memberships, and SQL roles to validate that access remains appropriate. Reviews are documented, and unnecessary privileges are removed.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.5
  • SCF Mapping: IAC-17 (Periodic Review of Account Privileges)

A domain-wide Group Policy Object or Microsoft Entra ID policy enforces session locks after 15 minutes of inactivity, requiring reauthentication to regain access. Remote desktop sessions are terminated after 5 days of disconnection. Account lockout is enforced after 5 consecutive failed login attempts across all Active Directory domains.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.6
  • SCF Mapping: IAC-22 (Account Lockout), IAC-24 (Session Lock), IAC-25 (Session Termination)

Privileged accounts are limited to authorized administrators and protected using MFA. Privileged access is granted only where required for administrative duties and is not used for routine user activity. Privileged account assignments and usage are logged and reviewed at least quarterly to validate continued business need.

Emergency Access (Break-Glass) Accounts: FRHC maintains a break-glass emergency access account in the frhc.com Entra ID tenant for use exclusively when normal privileged access mechanisms are unavailable — such as a Conditional Access misconfiguration, MFA system outage, or simultaneous lockout of all standard Global Administrators. The break-glass account holds a permanent active Global Administrator assignment and is excluded from standard Conditional Access policies. Both of these configurations represent documented exceptions to standard least-privilege and MFA enforcement controls, formally risk-accepted and justified by the emergency scenarios that require break-glass access.

In lieu of standard CA enforcement, the following compensating controls are in place: the account is restricted to FIDO2 security key authentication only (no password-only sign-in is permitted); all account activity is subject to dedicated monitoring in the SIEM with immediate high-severity alerting on any sign-in attempt, authentication method change, role assignment change, or credential modification; and post-use password rotation is mandatory following any session. The break-glass account, its authorized custodians, compensating controls, and permitted use cases are governed by the FRHC Break-Glass Emergency Access Procedure. Custodians and configuration are reviewed quarterly.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Sections 3.1 and 3.3
  • SCF Mapping:
    • IAC-15.9 (Emergency Accounts)
    • IAC-16 (Privileged Account Management (PAM))
    • IAC-21 (Least Privilege)

Access to systems and data is enforced through technical controls aligned with approved authorizations. Temporary access grants are time-bound and documented.

Emergency access accounts (break-glass accounts) are an exception to the time-bound access model: they are permanently provisioned accounts with permanently active privileged assignments. This design is intentional — just-in-time activation mechanisms may themselves be unavailable during the emergency scenarios requiring break-glass use. This exception is formally documented, risk-accepted, and compensated by dedicated procedures that restrict use to defined emergency scenarios, mandate post-use credential rotation, and require enhanced monitoring and alerting. See Section 3.7 and the FRHC Break-Glass Emergency Access Procedure.

Access is revoked immediately upon termination, contract expiration, or removal of business need. De-provisioning of a break-glass custodian includes immediate deregistration of their authentication credentials and revocation of credential access, as defined in the FRHC Break-Glass Emergency Access Procedure.

  • Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.4
  • SCF Mapping:
    • IAC-20 (Access Enforcement)

FRHC maintains evidence supporting identification and authentication controls, including provisioning records, MFA enrollment logs, access review documentation, and Group Policy exports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Identification & Authentication Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(4) – Information Access Management
    • 45 CFR §164.312(d) – Person or Entity Authentication
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC6, CC7)
    • Confidentiality (C1)
  • Massachusetts 201 CMR 17.00: §17.04(1)(e) – Reasonably Up-to-Date System Security Agent Software Including Account Lockout

Framework Alignment:

  • IAC-01 – Identity & Access Management (IAM)
  • IAC-02 – Identification & Authentication for Organizational Users
  • IAC-06 – Multi-Factor Authentication (MFA)
  • IAC-07 – User Provisioning & De-Provisioning
  • IAC-07.1 – Change of Roles & Duties
  • IAC-07.2 – Termination of Employment
  • IAC-08 – Role-Based Access Control (RBAC)
  • IAC-09 – Identifier Management (User Names)
  • IAC-10 – Authenticator Management
  • IAC-10.8 – Default Authenticators
  • IAC-15 – Account Management
  • IAC-15.2 – Removal of Temporary / Emergency Accounts
  • IAC-15.9 – Emergency Accounts
  • IAC-16 – Privileged Account Management (PAM)
  • IAC-17 – Periodic Review of Account Privileges
  • IAC-20 – Access Enforcement
  • IAC-20.3 – Use of Privileged Utility Programs
  • IAC-21 – Least Privilege
  • IAC-22 – Account Lockout
  • IAC-24 – Session Lock
  • IAC-25 – Session Termination
  • IAC-28 – Identity Proofing (Identity Verification)
  • IAC-28.1 – Management Approval For New or Changed Accounts

RevDescriptionDateApproved
-Policy createdMay 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Approved for 2025August 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Addition of Sections 3.7 and 3.8 for privileged & emergency account managementApril 2026M Machin
4.2Added 201 CMR 17.00 §17.04(1)(e) account lockout citationApril 2026M Machin

Internal Use Only