Access Control Deep Dive
Deep Dive into Changes to the Access Control Family in FedRAMP Revision 5
The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Access Control family that the new baselines bring.
Considerable Changes to the Low, Moderate, and High baselines include:
- Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
- A requirement to designate a specific official to manage the development, documentation, and dissemination of policies and procedures
- A requirement to define criteria or prerequisites of roles and group membership to determine the types of users and accounts allowed in the role or group
- The addition of several options for actions taken when the number of allowed consecutive invalid logons attempts exceed the defined threshold
- Each type of remote access needs documented usage restrictions and configuration or connection requirements
- An obligation to establish configuration and connection requirements when organization-controlled devices are outside of controlled areas
Considerable Changes to the Moderate and High baselines include:
- A new parameter specifying the automated mechanisms used to support management of system accounts
- An emphasis on the benefits of automated removal or disabling of emergency accounts
- Conditions upon which to disable accounts beyond an inactive time period, including accounts that have expired, are no longer associated with a user or individual, or are in violation of organizational policy
- The removal of a requirement to notify a defined role when account creation, modification, enabling, disabling, and/or removal actions occur
- A new parameter requiring the use of either a role-based or an attribute-based access scheme to establish and administer privileged user accounts
- A requirement to define significant risks, which would require the disabling of accounts of individuals upon discovery of the risk
- A requirement to define the roles or individuals that are authorized access to security functions and security-relevant information
- The addition of a list of conditions for initiating a device lock
- The removal of the parameter defining the number of managed network access control points which remote access is routed through
- The authorization of execution of privileged commands and access to security-relevant information via remote access must be in a format that provides assessable evidence
Considerable Changes to the Moderate baseline include:
- The addition of a requirement to review privileges assigned to roles or classes of users to validate the need for privileges and reassign or remove privileges as needed
Considerable Changes to the High baseline include:
- The addition of a control requirement preventing encrypted information from bypassing information flow control mechanisms and the termination of sessions attempting to bypass information flow control mechanisms
- The removal of the requirement to enforce information flow control using defined security policy filters
- The removal of the requirement to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions
Check back here for more deep dives into changes in each control family and updates from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey.