Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
NIST 800-53 (r4) Supplemental Guidance:
Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2.
References: None.
NIST 800-53 (r5) Discussion:
Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
38North Guidance:
Meets Minimum Requirement:
Employ the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Best Practice:
Clearly defined roles and groups only permitting privileged functions to be performed based on the role personnel are assigned to. Ensure privilege creep is not able to be performed and least privilege is always utilized when creating accounts or transferring personnel to different roles or responsibilities.
Tickets being leveraged to document the approval process, creation of role-based accounts, and enabling role-based accounts utilizing least privilege.
Periodic reviews of privileges for accounts within the FedRAMP boundary determining if access is still required for that particular role or responsibility.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Tickets demonstrating authorization to create role-based accounts & least privilege is being utilized when creating the accounts.
Documentation or a role traceability matrix that clearly defines roles and responsibilities for all users within the boundary.
Observe and capture screenshots of CSP system administrators demonstrating that least privilege is utilized and that user accounts have specific limitations.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse