Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Reviews [FedRAMP Assignment: (H) at a minimum, annually] the privileges assigned to [FedRAMP Assignment: (H) all users with privileges] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
NIST 800-53 (r4) Supplemental Guidance:
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7.
NIST 800-53 (r5) Discussion:
The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.
38North Guidance:
Meets Minimum Requirement:
All users with privileges are required to have their roles or classes defined.
The roles or classes are to be reviewed annually to validate the need for such privileges.
The organization reassigns or removes privileges, if necessary, to correctly reflect organizational missions/business needs.
Best Practice:
Review account privileges on at least an annual basis and take the necessary actions after the review is conducted to ensure that organizational mission/business needs are met and that security best practices are in place.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Meeting minutes regarding reviewing account privileges of users with access to the FedRAMP environment.
Screen shots of a calendar invite of personnel invited to the meeting to discuss user privileges and least privilege.
Email communications of reviewing user privileges of accounts.
Tickets to demonstrate the removal of privileges if a user account role has changed within the environment.
Tickets to demonstrate initiating account reviews by designated personnel.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse