Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system terminates shared/group account credentials when members leave the group.
AC-2 (9) Additional FedRAMP Requirements and Guidance: Required if shared/group accounts are deployed.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into AC-2k.]
38North Guidance:
Meets Minimum Requirement:
Terminate shared/group account credentials when members leave the group.
Best Practice:
Do not permit shared or group accounts within the FedRAMP environment so that all audit actions can be traced to an individual. If share/group accounts are used, ensure that all actions can be correlated back to each individual with shared/group account credentials.
When personnel that have access to shared/group account credentials are transferred or terminated the shared secret should be changed immediately with a generated strong password of at least 18 characters.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export of all user accounts verifying that no shared or group accounts exist. If shared/group accounts exists then the CSP needs to have documentation as well as how often the passwords are changed and who has access.
Screenshots of tickets that document the process when personnel are transferred or terminated that passwords are changed for group/shared accounts.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse