Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST 800-53 (r4) Supplemental Guidance:
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None.
NIST 800-53 (r5) Discussion:
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.
38North Guidance:
Meets Minimum Requirement:
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Best Practice:
Have clearly defined processes to only allow approved logical access to the FedRAMP environment.
Whenever possible utilize role-based access control (RBAC) to ensure users only have access to what they are approved for.
Additionally, limit the ability of those who access specific areas within the information system to just 'read' privileges, where necessary and if those personnel have a need to view specifics within the information system without modification privileges.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Tickets documenting the approval process for requesting logical access to system components along with the justification.
Active Directory, LDAP or whatever access management solution is being utilized account listing of all users and their role-based schema.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse