Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [FedRAMP Assignment: (H) disables/revokes access within a organization-specified timeframe] when privileged role assignments are no longer appropriate.
NIST 800-53 (r4) Supplemental Guidance:
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.
NIST 800-53 (r5) Discussion:
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
38North Guidance:
Meets Minimum Requirement:
Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
Monitor privileged role assignments.
Take organization-defined actions when privileged role assignments are no longer appropriate.
Best Practice:
Tickets being leveraged to document the approval process, creation of role-based accounts, and enabling role-based accounts.
Clearly defined roles and groups only permitting privileged functions to be performed based on the role personnel are assigned to. Ensure privilege creep is not able to be performed.
All role-based or privileged access is being logged and sent to the SIEM tool for monitoring by SOC or designated personnel.
Revoke all access immediately as soon as it is determined to be no longer needed and document all revoking of access in a ticket.
Unofficial FedRAMP Guidance: TBD
Assessment Evidence:
Tickets demonstrating authorization to create role-based accounts.
Active Directory, LDAP or whatever access management solution is being utilized account listing of all users and their role-based schema.
SIEM tool dashboards where role-based account activity such as SUDO elevated commands in LINUX is being logged and monitored by SOC or designated personnel.
Tickets demonstrating the revoking of access process from first requested to disabling of accounts.
Listing of accounts that have been revoked/disabled within the FedRAMP boundary.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse