This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
NIST 800-53 (r4) Supplemental Guidance:
Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.
38North Guidance:
Meets Minimum Requirement:
Requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
Best Practice:
Do not permit group accounts to be utilized within the system, especially accessing the FedRAMP boundary.
All VPN access needs to have a MFA solution in place that is FIPS 140-2 or FIPS 140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto etc. Or software tokens such as Google Authenticator, RSA, DUO, OKTA, etc.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List of all accounts that are utilized within the FedRAMP boundary to verify that no group accounts exist.
If group accounts do exist, are they used to access the boundary and if so is MFA utilized?
CSP Implementation Tips: TBD