Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to support the management of information system accounts.
NIST 800-53 (r4) Supplemental Guidance:
The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage.
NIST 800-53 (r5) Discussion:
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
38North Guidance:
Meets Minimum Requirement:
Employ automated mechanisms to support the management of information system accounts. Automated mechanisms can include solutions such as Active Directory, other directory services, ticketing systems, etc.
Best Practice:
Account management solutions should be implemented such as Active Directory for network accounts etc.
Local or service accounts should not be used unless passwords are protected and rotated at least every 60 days or when personnel with access to those service or local accounts transfer or are terminated.
Automated mechanisms in form of email, chat communications, or ticketing systems should be implemented to notify account changes.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots or samples of emails, chats, and/or ticketing systems demonstrating that alerts are sent out when accounts are created, enabled, modified, disabled/terminated.
Screenshots of a CSP system administrator navigating through account management process within the FedRAMP boundary demonstrating that automated mechanisms are implemented for all account activity within the environment.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse