Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [FedRAMP Assignment: (M)(H) at least quarterly].
NIST 800-53 (r4) Supplemental Guidance:
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2.
NIST 800-53 (r5) Discussion:
In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures.
38North Guidance:
Meets Minimum Requirement:
Access must be restricted to only authorized personnel and roles. Ensure all changes to information system components and system-related information are processed via Change Request (CR) tickets to obtain formal authorization. The ticket should be reviewed/approved by authorized personnel within the ticketing system itself. Once approved, only authorized Operations and Support teams are permitted to execute information system component configuration changes as stipulated in the approved CR ticket.
Review change access privileges at least quarterly.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
System-generated listing (or screen prints) of users with the ability to access and promote code to the production environment, for each application under review
Evidence of most recent review of accounts (and users with access to the accounts) with development/integration privileges
Evidence of most recent production account review, and that accounts and privileges that were incorrect or unnecessary were removed
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse