Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
NIST 800-53 (r4) Supplemental Guidance:
Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.
References: OMB Memorandum 06-16.
NIST 800-53 (r5) Discussion:
The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
38North Guidance:
Meets Minimum Requirement:
When a session has expired, the system will redirect the user to the login page, which does not contain any system information and is a publicly viewable screen.
Workstations are out of scope, this applies to anything in-boundary that has an interface, like shell, web interface, bastion.
Best Practice:
All password fields within system components or applications (if applications are being offered as part of the service offering) should be concealed with asterisks or other special characters not revealing the password.
Session lock for console is equivalent of login screen
Where there's no pattern hiding displays available for CLI = residual terminal data on the laptop can be compensated by standard configurations on laptops with screensaver/session lock, where service guidance will be to only operate systems from approved devices (laptop/phones) that have standard configuration
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Observe and take screen shots of system administrators log into a sample set of different system components as well as any applicable applications that are being offered as part of a service offering.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse