Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization only permits the use of shared/group accounts that meet [FedRAMP Assignment: (H) organization-defined need with justification statement that explains why such accounts are necessary].
AC-2 (9) Additional FedRAMP Requirements and Guidance: Required if shared/group accounts are deployed.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.
38North Guidance:
Meets Minimum Requirement:
Only permit the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.
Best Practice:
Do not permit shared or group accounts within the FedRAMP environment so that all audit actions can be traced to an individual.
If shared/group accounts are configured within the FedRAMP environment, ensure that user actions are correlated with each individual performing such actions, thus providing for non-repudiation functionality.
If shared or groups do exist explicit justification for why these accounts exists needs to be fully documented.
Unofficial FedRAMP Guidance: TBD
Assessment Evidence:
Export of all user accounts verifying that no shared or group accounts exist. If shared/group accounts exists then the CSP needs to have documentation as well as how often the passwords are changed and who has access, and how non-repudiation functionality is established.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse