AC-6 (9) Least Privilege | Auditing Use of Privileged Functions (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system audits the execution of privileged functions.

NIST 800-53 (r4) Supplemental Guidance:

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2.

NIST 800-53 (r5) Discussion:

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

38North Guidance:

Meets Minimum Requirement:

Audit the execution of privileged functions on all system components within the FedRAMP boundary.

Best Practice:

Logging turned on for all components including servers, firewalls, applications, OS's, databases, etc..
Conduct host inventory scanning and compare with what is in the Security Information and Event Management (SIEM) to ensure all system components are being audited.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Screen shots or PDF exports of SIEM tool dashboards that demonstrate the different components (Servers, firewalls, applications, OS's, databases, etc.) being audited for the FedRAMP system boundary.
Component inventory listing within the SIEM and host inventory scan results and compare the two to verify all system components are being audited.
Observe and take screenshots of system administrators logging into a sample set of system components or smart searches within the SIEM tool to ensure auditing is turned on for all system components.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse