Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization explicitly authorizes access to [FedRAMP Assignment: (H) all functions not publicly accessible and all security-relevant information not publicly available].
NIST 800-53 (r4) Supplemental Guidance:
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19.
NIST 800-53 (r5) Discussion:
Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.
38North Guidance:
Meets Minimum Requirement:
The organization is required to define all functions not publicly accessible and all security relevant information not publicly available.
Explicitly authorize access to:
organization-defined security functions
security-relevant information
Best Practice:
Only permit designated personnel such as security administrators, system administrators, network administrators etc. to have access to security functions for:
Account management activities.
Configuration of logging for system components within the boundary.
Configuration of firewalls and routers.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Role matrix that establishes roles and responsibilities for personnel to ensure privilege's creep cannot be conducted for roles with access to security functions/tools.
Tickets demonstrating authorization to create role-based accounts & least privilege is being utilized when creating accounts accessing security functions & tools.
Screen shots of all user accounts demonstrating that all accounts cannot access everything including security functions/tools.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse