Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: (H) twenty-four (24) hours, (L) (M) organizationally-defined];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: (H) twenty-four (24) hours, (L) (M) five days of the time period following the formal transfer action (DoD 24 hours)].
NIST 800-53 (r4) Supplemental Guidance
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4.
NIST 800-53 (r5) Discussion
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Meets Minimum Requirement:
Personnel transfers must be logged in an account management ticketing system or other comparable solution
Transfers must be accompanied by a review of changes to access by account control personnel
If access changes as the result of a transfer, the organization must make access control changes w/in 24 hours (H) or five business days (M) (L)
An explicit action or note must be made in the authoritative access control register (e.g a ticketing system or comparable solution) indicating that change in access because of a transfer was reviewed and action taken as appropriate
Designed role(s) must be notified of changes to access as a result of a transfer. Examples could include a division head, an ISSO, a Director of Risk Management, or similar
Best Practice:
Coordinate approach with physical security if changes to physical access are a consideration (e.g. parking passes, building accesses, physical keys, etc.)
In instances of transfer it is especially critical to terminate secondary and tertiary accounts that an individual may have access to (example: while a terminated individual will have access terminated via suspension of an MFA account, a transferring individual may retain their MFA
Individuals transferring into the system boundary from outside should be evaluated to determine if they meet all criteria for system access, including training and screening requirements
If possible, new individuals transitioning into the boundary should have limited access through an introductory period (e.g. root access day 1 is not the best idea)
Ideally an automated ticketing system is used to record account access changes, with notifications distributed to cognizant parties throughout the process
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documented process
Interview personnel to validate that the process is adhered to
Inspect ticketing system or account management register for evidence that process is adhered to (e.g. notes in a ticket describing a review and / or changes to access)
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse