Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
NIST 800-53 (r4) Supplemental Guidance:
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators.
Related Controls: None.
38North Guidance:
Meets Minimum Requirement:
Ensures that unencrypted static authenticators are not:
Embedded in applications;
Embedded in access scripts; or
Stored on function keys.
Best Practice:
Ensure password cryptography is utilized and no passwords are stored for applications.
Ensure source code, binaries, or scripts do not have embedded passwords.
If configuration variables are stored in a configuration file, ensure that the file is encrypted with strong encryption.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of vulnerability scanning tools such as Nessus, Qualys, etc. demonstrating that passwords aren’t stored unencrypted to conduct authenticated scans of the FedRAMP boundary.
Observe system administrators navigate throughout the environment to ensure that no stored passwords are utilized.
CSP Implementation Tips: TBD
Page updated
Report abuse