Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].
NIST 800-53 (r4) Supplemental Guidance:
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time.
NIST 800-53 (r5) Discussion:
Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.
38North Guidance:
Meets Minimum Requirement:
Enforce organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Best Practice:
Only add users to the groups that are designated for their role or responsibility within the FedRAMP environment.
When users are transferred ensure that they only belong to the groups for their role or responsibility to prevent "privilege creep".
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Have the CSP provide a role matrix of all user accounts with role membership, restrictions or permitted actions, and any other organization-defined action.
Observe CSP system administrators authenticate to the FedRAMP environment and system components with two-factor authentication (FIPS-140-2 or 3) validated hardware tokens to verify usage conditions.
Active Directory, LDAP or whatever access management solution is being utilized account listing of all users and their role-based schema.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse