Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system enforces access restrictions and supports auditing of the enforcement actions.
NIST 800-53 (r4) Supplemental Guidance:
Related controls: AU-2, AU-12, AU-6, CM-3, CM-6.
NIST 800-53 (r5) Discussion:
Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.
38North Guidance:
Meets Minimum Requirement:
Define, document, approve, and enforce logical access restrictions associated with changes to the information system when applicable. Logical access to the system must be restricted per AC-2 and AC-3 requirements. Role-based access privileges must provide the logical access restrictions associated with changes to the system.
Access to test environments must be restricted to only authorized personnel and roles. Only authorized individuals must be permitted access to information systems and data for purposes of testing changes.
Configures the system and application to automatically log and capture user and system activity/events including authentication and authorization events, and the creation, modification, disabling, and removal of accounts.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
System generated list of all accounts with access to non-production environments, to the source code for each application under review, and users with the ability to promote code to the production environment.
Configuration settings of audit logging tool(s) and/or other monitoring tool(s) showing that account creation, modification, enabling, disabling, and removal actions are logged for all system components.
Audit log records showing authentication and authorization events, and the following account management events: account creation, modification, enabling, disabling, and removal actions.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse