Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization authorizes network access to [FedRAMP Assignment: (H) all privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
NIST 800-53 (r4) Supplemental Guidance:
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17.
NIST 800-53 (r5) Discussion:
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).
38North Guidance:
Meets Minimum Requirement:
The organization is required to authorize network access to organization-defined privileged commands only for organization-defined compelling operational needs for the information system.
The organization is required to document the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.
Best Practice:
This control mainly applies to customers that have their own infrastructure or own their cloud that they manage that has local network access.
VPN into the FedRAMP boundary with a non-privileged account to a jump-box before being able to access the environment to perform privileged commands.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export listing of all accounts & the groups/permissions they have with each account.
Ensure that network access to privileged commands are not able to perform privileged functions from non-privileged accounts. Ensure that a VPN is utilized to access the environment and direct SSH access or logging into a server directly within the boundary is not able to be conducted. Bastion hosts/Jump Box mechanisms should be used for access to target systems in the FedRAMP environment.
Observe & take screenshots of the process of a system administrator accessing the system boundary to perform privileged commands.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse