Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system monitors and controls remote access methods.
NIST 800-53 (r4) Supplemental Guidance:
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12.
NIST 800-53 (r5) Discussion:
Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2. Audit events are defined in AU-2a.
38North Guidance:
Meets Minimum Requirement:
Identify all remote access methods permitted and ensure that mechanisms are implemented for monitoring and controlling such remote access. Ensure that all remote access is logged and forwarded to a SIEM or logging aggregator and that a remote access baseline is established for the information system in scope. In the event that remote access thresholds are reached, configure the system to trigger an alert to initiate further investigation by administrator personnel.
Identify and implement remote access control mechanisms to aide in the establishment and disablement of remote access methods if/when needed to ensure integrity of the information system.
Best Practice:
Remote access methods should be limited, monitored, and controlled to ensure that all access to the information system in scope is secure and without violation as much as possible. CSPs should make sure to identify and document ALL remote access methods and the access restrictions for each; monitored ALL remote access using logging mechanisms; and controlling such remote access using mechanisms that would support the modification or termination of remote access should it be necessary.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Screen shot evidence of logs for each type of remote access showing that ALL remote access is indeed being logged and audited.
Tickets showing that remote access has been authorized, modified, or terminated based on system needs.
Tickets showing that remote access is indeed being reviewed for atypical usage and that remote access accounts are reviewed at least annually for compliance.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse