Identification & Authentication Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Identification & Authentication Policy
Framework Reference: Secure Controls Framework – Identification & Authentication (IAC)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Identification & Authentication requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to ensure that only authorized individuals access FRHC systems, covering identity lifecycle management, authentication, access control, and session management.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC systems, applications, and infrastructure where sensitive or regulated data—including ePHI—is processed, stored, or transmitted. It applies to all employees, contractors, vendors, and other third parties with access to FRHC systems, including both on-premises and cloud-hosted environments.
3. Standard
Section titled “3. Standard”3.1 Account Management
Section titled “3.1 Account Management”FRHC implements formal identity and access management controls governing the entire account lifecycle. All user, service, and system accounts are uniquely identifiable and provisioned only with documented managerial approval. Accounts are created only with executive or senior management approval, tracked via email, and remain linked to individual user IDs for traceability. Temporary accounts are discouraged; when required, their lifespan is documented and enforced through manual tracking by the CISO. Emergency access accounts are time-boxed and promptly removed upon expiration. Accounts are deactivated across all domains, applications, and services upon termination.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.1
- SCF Mapping: IAC-01 (Identity & Access Management (IAM)), IAC-15 (Account Management), IAC-15.2 (Removal of Temporary / Emergency Accounts), IAC-15.9 (Emergency Accounts)
3.2 Authentication
Section titled “3.2 Authentication”Each user is assigned a unique username following a standardized naming convention (first initial + last name, with middle initial added to resolve conflicts). FRHC enforces multi-factor authentication (MFA) for access to Microsoft 365, Azure resources, and protected networks within the Evocative datacenter. Duo MFA is used with Cisco AnyConnect for VPN-based access; Microsoft Authenticator is used for Microsoft 365. Vendor-supplied default credentials are changed during system setup, with credentials stored securely in Bitwarden.
Password policies are enforced through Active Directory Group Policy and Microsoft Entra ID:
| Setting | Entra ID Users | AD General Users | Domain Admins |
|---|---|---|---|
| Minimum length | 8 | 8 | 10 |
| Complexity | Enabled | Enabled | Enabled |
| Maximum age | 90 days | 90 days | 60 days |
| History | — | 10 | 10 |
| Minimum age | — | 5 days | 5 days |
| Lockout threshold | 5 attempts | 5 attempts | 5 attempts |
| Lockout duration | Escalating | 30 min | 30 min |
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.2
- SCF Mapping: IAC-02 (Identification & Authentication for Organizational Users), IAC-06 (Multi-Factor Authentication (MFA)), IAC-09 (Identifier Management (User Names)), IAC-10 (Authenticator Management), IAC-10.8 (Default Authenticators)
3.3 Role-Based Access Control & Least Privilege
Section titled “3.3 Role-Based Access Control & Least Privilege”FRHC enforces role-based access via Active Directory security groups across multiple domains. Each role is granted only the minimum necessary access to perform job duties, with access assignments documented for all roles. Privileged users are restricted to specific administrative functions within required domains, and access is provided only to those with a verified business need. Only system administrators are authorized to use privileged utility programs, and execution is restricted to assigned access rights.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.3
- SCF Mapping: IAC-08 (Role-Based Access Control (RBAC)), IAC-16 (Privileged Account Management (PAM)), IAC-20 (Access Enforcement), IAC-20.3 (Use of Privileged Utility Programs), IAC-21 (Least Privilege), IAC-28 (Identity Proofing (Identity Verification)), IAC-28.1 (Management Approval For New or Changed Accounts)
3.4 Access Provisioning & Revocation
Section titled “3.4 Access Provisioning & Revocation”User provisioning and de-provisioning requests are initiated by executive leadership via email to the CISO and IT team. Upon role change, Active Directory group assignments are updated to reflect the new role, removing access no longer required and adding newly required access. Termination notices trigger immediate deactivation of all domain and application-specific accounts, including PatientRemedi and Credit Balance.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.4
- SCF Mapping: IAC-07 (User Provisioning & De-Provisioning), IAC-07.1 (Change of Roles & Duties), IAC-07.2 (Termination of Employment)
3.5 Periodic Access Reviews
Section titled “3.5 Periodic Access Reviews”The CISO performs quarterly reviews of all administrative accounts, group memberships, and SQL roles to validate that access remains appropriate. Reviews are documented, and unnecessary privileges are removed.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.5
- SCF Mapping: IAC-17 (Periodic Review of Account Privileges)
3.6 Session Management
Section titled “3.6 Session Management”A domain-wide Group Policy Object or Microsoft Entra ID policy enforces session locks after 15 minutes of inactivity, requiring reauthentication to regain access. Remote desktop sessions are terminated after 5 days of disconnection. Account lockout is enforced after 5 consecutive failed login attempts across all Active Directory domains.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.6
- SCF Mapping: IAC-22 (Account Lockout), IAC-24 (Session Lock), IAC-25 (Session Termination)
3.7 Privileged Account Management
Section titled “3.7 Privileged Account Management”Privileged accounts are limited to authorized administrators and protected using MFA. Privileged access is granted only where required for administrative duties and is not used for routine user activity. Privileged account assignments and usage are logged and reviewed at least quarterly to validate continued business need.
Emergency Access (Break-Glass) Accounts: FRHC maintains a break-glass emergency access account in the frhc.com Entra ID tenant for use exclusively when normal privileged access mechanisms are unavailable — such as a Conditional Access misconfiguration, MFA system outage, or simultaneous lockout of all standard Global Administrators. The break-glass account holds a permanent active Global Administrator assignment and is excluded from standard Conditional Access policies. Both of these configurations represent documented exceptions to standard least-privilege and MFA enforcement controls, formally risk-accepted and justified by the emergency scenarios that require break-glass access.
In lieu of standard CA enforcement, the following compensating controls are in place: the account is restricted to FIDO2 security key authentication only (no password-only sign-in is permitted); all account activity is subject to dedicated monitoring in the SIEM with immediate high-severity alerting on any sign-in attempt, authentication method change, role assignment change, or credential modification; and post-use password rotation is mandatory following any session. The break-glass account, its authorized custodians, compensating controls, and permitted use cases are governed by the FRHC Break-Glass Emergency Access Procedure. Custodians and configuration are reviewed quarterly.
- Parent Policy Mapping: STH Identification & Authentication Policy, Sections 3.1 and 3.3
- SCF Mapping:
- IAC-15.9 (Emergency Accounts)
- IAC-16 (Privileged Account Management (PAM))
- IAC-21 (Least Privilege)
3.8 Access Enforcement & Revocation
Section titled “3.8 Access Enforcement & Revocation”Access to systems and data is enforced through technical controls aligned with approved authorizations. Temporary access grants are time-bound and documented.
Emergency access accounts (break-glass accounts) are an exception to the time-bound access model: they are permanently provisioned accounts with permanently active privileged assignments. This design is intentional — just-in-time activation mechanisms may themselves be unavailable during the emergency scenarios requiring break-glass use. This exception is formally documented, risk-accepted, and compensated by dedicated procedures that restrict use to defined emergency scenarios, mandate post-use credential rotation, and require enhanced monitoring and alerting. See Section 3.7 and the FRHC Break-Glass Emergency Access Procedure.
Access is revoked immediately upon termination, contract expiration, or removal of business need. De-provisioning of a break-glass custodian includes immediate deregistration of their authentication credentials and revocation of credential access, as defined in the FRHC Break-Glass Emergency Access Procedure.
- Parent Policy Mapping: STH Identification & Authentication Policy, Section 3.4
- SCF Mapping:
- IAC-20 (Access Enforcement)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting identification and authentication controls, including provisioning records, MFA enrollment logs, access review documentation, and Group Policy exports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Identification & Authentication Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(4) – Information Access Management
- 45 CFR §164.312(d) – Person or Entity Authentication
- AICPA SOC 2 Trust Services Criteria:
- Security (CC6, CC7)
- Confidentiality (C1)
- Massachusetts 201 CMR 17.00: §17.04(1)(e) – Reasonably Up-to-Date System Security Agent Software Including Account Lockout
Framework Alignment:
- IAC-01 – Identity & Access Management (IAM)
- IAC-02 – Identification & Authentication for Organizational Users
- IAC-06 – Multi-Factor Authentication (MFA)
- IAC-07 – User Provisioning & De-Provisioning
- IAC-07.1 – Change of Roles & Duties
- IAC-07.2 – Termination of Employment
- IAC-08 – Role-Based Access Control (RBAC)
- IAC-09 – Identifier Management (User Names)
- IAC-10 – Authenticator Management
- IAC-10.8 – Default Authenticators
- IAC-15 – Account Management
- IAC-15.2 – Removal of Temporary / Emergency Accounts
- IAC-15.9 – Emergency Accounts
- IAC-16 – Privileged Account Management (PAM)
- IAC-17 – Periodic Review of Account Privileges
- IAC-20 – Access Enforcement
- IAC-20.3 – Use of Privileged Utility Programs
- IAC-21 – Least Privilege
- IAC-22 – Account Lockout
- IAC-24 – Session Lock
- IAC-25 – Session Termination
- IAC-28 – Identity Proofing (Identity Verification)
- IAC-28.1 – Management Approval For New or Changed Accounts
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | May 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Approved for 2025 | August 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Addition of Sections 3.7 and 3.8 for privileged & emergency account management | April 2026 | M Machin |
| 4.2 | Added 201 CMR 17.00 §17.04(1)(e) account lockout citation | April 2026 | M Machin |
