Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system prevents [FedRAMP Assignment: (H) any software except software explicitly documented] from executing at higher privilege levels than users executing the software.
NIST 800-53 (r4) Supplemental Guidance:
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.
NIST 800-53 (r5) Discussion:
In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.
38North Guidance:
Meets Minimum Requirement:
Any software except software explicitly documented should not execute at higher privilege levels than users executing the software.
Configure Operating Systems (OS) to enforce RBAC via Active Directory (AD) using Group Policies or configuration files (Linux).
Configure RBAC for local accounts managed outside of AD.
Document and provide a justification for all instances of privilege escalation.
Best Practice:
Centrally manage RBAC.
Configure system components to ignore local policy.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Observe a user with each type of administrator role attempt to authenticate to services that the administrator role should not have access to.
Exports of centrally (e.g., AD) and locally managed accounts. Assessors will confirm that configurations are being pushed to system components and that local policy settings are not circumventing security controls.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse