Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements multifactor authentication for local access to non-privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
None
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-2(2).]
38North Guidance:
Meets Minimum Requirement:
Implements the use of MFA for local access to non-privileged accounts if non-privileged accounts exist within the boundary.
FIPS 140-2 or FIPS 140-3 approved MFA solutions.
Best Practice:
Allow non-privileged accounts to access the VPN, but only permitting it as far as the bastion host.
No privileged functions should be permitted to be executed without privileged accounts being utilized.
Monitoring of all account activity should be utilized within the boundary.
All VPN access needs to have a MFA solution in place that is FIPS 140-2 or FIPS 140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto etc. Or software tokens such as Google Authenticator, RSA, DUO, OKTA, etc.
Unofficial FedRAMP Guidance:
OKTA push notification currently does not meet NIST SP 800-63B (Section 5.1.3.2) requirements for out-of-band verifiers. CSP's should use OKTA one-time password or passcode (OTP) instead.
Assessment Evidence:
Demonstration of multi-factor authentication into the FedRAMP environment, specifically non-privileged account access into the environment, components such as edge routers or network devices from both CLI & GUI interfaces (if applicable) if non-privileged accounts are able to access these devices.
Screenshots of MFA configurations for accessing components in the environment to see if non-privileged accounts have access.
CSP Implementation Tips: TBD
Page updated
Report abuse