IA-5(8) AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization implements [FedRAMP Assignment: (H) different authenticators on different systems] to manage the risk of compromise due to individuals having accounts on multiple information systems.

NIST 800-53 (r4) Supplemental Guidance:

When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems.

References:

OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.

NIST 800-53 (r5) Discussion:

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4) and access agreements (see PS-6) to mitigate the risk of multiple system accounts. Related Controls: PS-6.

38North Guidance:

Meets Minimum Requirement:

Implement organizational-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.

Best Practice:

Implement different passwords or crypto keys for all production/development systems.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Listing of all accounts utilized in the FedRAMP boundary.
Listing of all MFA accounts demonstrating different usernames and passwords are utilized throughout the environment.
Screenshots of all MFA tokens that demonstrate a unique serial number are used on each hardware token.

CSP Implementation Tips: TBD

Page updated

Report abuse