Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6.
NIST 800-53 (r5) Discussion:
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.
38North Guidance:
Meets Minimum Requirement:
The organization is required to restrict privileged accounts on the information system to organization-defined personnel or roles.
Best Practice:
Separate accounts for privileged vs non-privileged access only permitting the account holder to perform the actions for their role or responsibilities within the information system.
Ensure that privileged accounts are limited to specific personnel that require privileged access for their role or responsibilities.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export listing of all accounts & the groups/permissions they have with each account, ensuring least privilege is utilized for each privileged account.
Tickets demonstrating authorization to create role-based accounts and that least privilege is being utilized when creating privileged accounts within the FedRAMP environment.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse