Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Employs automated mechanisms [FedRAMP Assignment: (M)(H) Continuously, using automated mechanisms with a maximum five-minute delay in detection] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5.
NIST 800-53 (r5) Discussion:
Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9)). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing.
38North Guidance:
Meets Minimum Requirement:
Employ automated mechanisms continuously, with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components.
Take one or more of the following actions when unauthorized components are detected:
disables network access by such components;
isolates the components;
defines personnel or roles to be notified when unauthorized components are detected
Auditor will ask: How do you detect a new, unauthorized VM added to the authorization boundary?
The system needs to generate an alert when a new, unauthorized VM is added. Maybe the rule triggers for any VM deployed by a user because VMs should only be deployed by service accounts (as an example).
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Configuration settings for the automated mechanisms (tools, scripts, etc.) in place to detect the addition of unauthorized hardware, software or firmware components into the information system.
Defined and implemented actions when unauthorized components are detected.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse