AC-17 (9) Remote Access | Disconnect or Disable Access (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [FedRAMP Assignment: (M)(H) fifteen (15) minutes].

NIST 800-53 (r4) Supplemental Guidance:

This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems.

NIST 800-53 (r5) Discussion:

The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.

38North Guidance:

Meets Minimum Requirement:

Ensure that the CSP can terminate/disconnect remote access to the CSO within fifteen (15) minutes of detection of malicious activity or upon request by authorities. Remote access sessions come in many forms; VPN connection to the information system, SSH access and/or RDP access. Each of these should be implemented in a way that access can be terminated/disconnected within fifteen (15) minutes.

Best Practice:

Document remote access termination/disconnection policy and implementation within and AC policy and procedures. Ensure that all requests to terminate/disconnect remote access are documented, tracked, reviewed, and approved by stakeholders.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

Observe & take screen shots of system administrators demonstrating that remote access can be terminated/disconnected within the 15 minutes of detection of malicious activity or upon requests.
Tickets demonstrating the request to disable remote access or other documentation of the terminated/disconnect process. Also, if remote access is required to be terminated immediately and before a ticket is generated, the CSO should ensure to retro-actively create a ticket, document it thoroughly and provide the auditor.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse