Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization requires that users of information system accounts, or roles, with access to [FedRAMP Assignment: (M)(H) all security functions], use non-privileged accounts or roles, when accessing non-security functions.
AC-6 (2) Additional FedRAMP Requirements and Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4.
NIST 800-53 (r5) Discussion:
Requiring the use of non-privileged accounts when accessing non-security functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
38North Guidance:
Meets Minimum Requirement:
The organization requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing non-security functions.
Best Practice:
Separate accounts for privileged vs non-privileged access.
Ensure that non-privileged accounts are not able to perform privileged functions from those non-privileged accounts.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export listing of all accounts & the groups/permissions they have with each account.
Tickets demonstrating authorization to create role-based accounts & least privilege is being utilized when creating accounts within the FedRAMP environment.
Screen shots of all user accounts demonstrating that non-privileged accounts cannot perform privileged functions.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse