AC-2 (2) Account Management | Removal of Temporary / Emergency Accounts (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system automatically [FedRAMP Selection: removes; (H) disables] temporary and emergency accounts after [FedRAMP Assignment: (M) no more than 30 days for temporary and emergency account types; (H) 24 hours from last use].

NIST 800-53 (r4) Supplemental Guidance:

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

NIST 800-53 (r5) Discussion:

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

38North Guidance:

Meets Minimum Requirement:

Automatically remove or disable temporary and emergency accounts after no more than thirty (30) days (FedRAMP Moderate) and disable after no more than twenty four (24) hours (FedRAMP High) for each type of account.
There have been exceptions made for a few break glass accounts, if critically needed, they don't tear them down every 24 hours, put there's other compensating controls for these (extra auditing, monitoring, etc.). Typical use case: break glass account only opened for authorized scenarios, specifically approved, usually authorized during open incidents, and they can be used only for the duration of the incident.

Best Practice:

No temporary or emergency accounts should be configured unless absolutely necessary and are documented using tickets, and authorized use by approvers.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Export listing of all the user accounts within the FedRAMP boundary determining if temporary or emergency accounts are in use.
Tickets demonstrating that a temporary or emergency account is needed, documenting the business use case and the approval process to create the accounts.
Audit logs demonstrating accounts were created and disabled within the FedRAMP parameter timeframe for the moderate or high system as stated above.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse