Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization disables accounts of users posing a significant risk within [FedRAMP Assignment: (H) one (1) hour] of discovery of the risk.
NIST 800-53 (r4) Supplemental Guidance:
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4.
NIST 800-53 (r5) Discussion:
Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
38North Guidance:
Meets Minimum Requirement:
Disable accounts of users posing a significant risk within the time period of 1 hour of discovery of the risk.
Important part here is to be able to demonstrate how, where you would go, etc. to disable within an hour, typically in the IdP and VPN. Present some use cases and be able to show them the process of how we do this.
Best Practice:
Processes documented to determine who is high risk and processes to disable users posing a significant risk to the FedRAMP environment within that 1 hour time period.
Disabling activities must be preempted by justification and can be accomplished through disabling the user account(s) through AD, IAM, or another LDAP mechanism. Additionally, a script may be developed to provide the necessary function for account disablement within 1 hour of discovery of risk of individual.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Defined processes documented to determine high risk individuals and disabled them within the 1 hour time period.
Tickets documenting high risk individuals that were required to be disabled.
Observe & capture screenshots of the CSP's process for disabling a high risk users account.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse