Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
NIST 800-53 (r4) Supplemental Guidance:
Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
NIST 800-53 (r5) Discussion:
Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.
38North Guidance:
Meets Minimum Requirement:
The information system -
prevents non-privileged users from executing privileged functions to include:
disabling implemented security safeguards/countermeasures;
circumventing security safeguards/countermeasures; or
altering implemented security safeguards/countermeasures
Best Practice:
System administrators or privileged users should have standard non-privileged accounts.
Standard accounts should not be permitted to perform or execute privileged functions within the system boundary.
Use of RBAC mechanisms to ensure the non-privileged accounts are added to the proper roles that are associated with non-privileged functions.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export listing of all accounts & the groups/permissions they have with each account ensuring that non-privileged accounts cannot perform privileged functions.
Tickets demonstrating authorization to create role-based accounts & least privilege is being utilized when creating accounts within the FedRAMP environment.
Screen shots of all user accounts demonstrating that non-privileged accounts cannot perform privileged functions.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse