Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [FedRAMP Assignment: (H) at a minimum, the ISSO and/or similar role within the organization].
AC-2 (12)(a) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.
AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7.
NIST 800-53 (r5) Discussion:
Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
38North Guidance:
Meets Minimum Requirement:
Monitor information system accounts for organization-defined atypical usage, which could include outside of normal working hours, exceeding usual logins, etc.
Reports atypical usage of information system accounts to organization-defined personnel or roles at a minimum, the ISSO and/or similar role within the organization for High systems.
Best Practice:
Monitor the FedRAMP environment for atypical usage by utilizing a SOC or designated personnel or team to monitor for atypical usage such as high bandwidth usage, more than typical account usage, bitcoin mining etc.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Dashboards or alerting in the SIEM tool for atypical usage that is monitored based on conditions the CSP defines.
Notifications or processes to report atypical usage to designated personnel based on the level of the system.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse