Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements privileged access authorization to [FedRAMP Assignment: (M)(H) operating systems / web applications / databases] for selected [FedRAMP Assignment: (M)(H) all scans].
NIST 800-53 (r4) Supplemental Guidance:
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.
NIST 800-53 (r5) Discussion:
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.
38North Guidance:
Meets Minimum Requirement:
Credentialed scans are required to be conducted on all components within the FedRAMP environment including all operating systems, web applications and databases.
Best Practice:
Utilize administrator or privileged accounts, or have agents installed, to conduct privileged scans.
Ensure that privileged or administrator credentials utilized for scanning are only accessible to authorized personnel and that they are stored in an encrypted secrets manager that is changed when personnel terminated or transferred.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Credentialed scan results that demonstrate that administrator privileged scans are being conducted on all components within the FedRAMP production environment.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse