Skip to content

Suggested Controls

selenaxiao-nist edited this page Nov 13, 2024 · 8 revisions

Suggested BloSS🌻M 800-53 Controls

(Suggested and Specified by James Younger, Ned Goren)

NIST 800-52 Rev5 PDF

  1. AC-2 Account Management

    • AC-2 CFS Reference

    • AC-2 CSRC Reference

    • Proofs:

      Summary

      • users and their associated privileges
      • identify system administrator and privileges
      • identify system user and privilegesprivileges
      • identify that the SSP has been updated
      • list user groups and roles
      • verify that users have valid system access authorizations
      • verify that user system usage is documented
      • no group or shared accounts
      • AWS-generated, date-specific list of user accounts. Need to verify that when an account change request is received, user accounts are updated.

      Statement-id=ac-2.a

      EVIDENCE: Need access to system user accounts and ACLs.

      • Need AWS-generated printout of user privileges.
        • Need a printout of privileged and non-privileged users and their associated privileges on the system.

      Statement-id=ac-2.b

      EVIDENCE: Need access to the system admin console and to account creation workflows to review system admin privileges.

      • Need AWS-generated printout of user privileges.
        • Need a printout of users and their privileges to identify system administrator privileges.

      Statement-id=ac-2.c

      EVIDENCE: Need access to the system admin console and to account creation workflows to identify system user privileges.

      • Need AWS-generated printout of user privileges.
        • Need a printout of users and their privileges to identify system user privileges.
      • Need account creation workflows.
        • Need to review completed and approved workflows to identify what privileges system users were given.

      Statement-id=ac-2.d

      EVIDENCE: Need access to Blossom account creation workflows and review approved user authorizations to identify user privileges, roles, and access authorizations.

      Statement-id=ac-2.d.1

      EVIDENCE: Need access to the system admin console and the SSP to verify users on the system.

      • Need AWS-generated ACLs.
        • Need to identify system users.
      • Need to create a workflow with information in the comment box stating that the SSP has been reviewed.
        • Need to review completed workflows identifying that the SSP has been updated.
      Statement-id=ac-2.d.2

      EVIDENCE: Need access to the system admin console and the SSP to verify system user group and role membership.

      • Need to create a workflow with user group and role membership identified.
        • Need to review completed workflows identifying user group and role membership.
      • Need AWS generated printout or list user groups and roles.
      Statement-id=ac-2.d.3

      EVIDENCE: Need access to the system and to account creation workflows to verify user system access authorizations.

      • Need AWS-generated user accounts.
        • Need to review AWS generated printout and verify that users have valid access authorizations.
      • Need account creation workflows.
        • Need to review workflows to verify that users have valid system access authorizations.

      Statement-id=ac-2.e

      EVIDENCE: Need access to the system account creation workflows.

      • Need to review user account request workflows to validate that account requests have been submitted and are complete and approved.

      Statement-id=ac-2.f

      EVIDENCE: Need access to the system account creation workflows.

      • Need to review user account request workflows to validate that account changes/updates have been submitted and are complete and approved.

      Statement-id=ac-2.g

      EVIDENCE: Need documentation showing user accounts are monitored.

      • Need to create a workflow where account use monitoring information is noted in the comment box.
        • Need to review completed workflows to validate that system administrators are monitoring Blossom.

      Statement-id=ac-2.h

      Verify that Blossom account managers, system owner, and program manager are notified within:

      Statement-id=ac-2.h.1

      1 business day when accounts are no longer required. EVIDENCE: Need documentation showing notification.

      • Need to create a workflow where account information from HR is noted in the comment box.
        • Need to review completed workflows to validate that user account changes are documented.
      Statement-id=ac-2.h.2

      1 business day when users are terminated or transferred. EVIDENCE: Need documentation showing notification.

      • Need to create a workflow from the system administrator to the account managers, system owner, and program manager, where account information is noted in the comment box.
        • Need to review completed workflows to validate that user account changes are documented.
      Statement-id=ac-2.h.3

      1 business day when system usage or need-to-know changes for an individual. EVIDENCE: Need documentation showing notification.

      • Need to create a workflow where account information is noted in the comment box.
        • Need to review completed workflows to validate that user account changes are documented.

      Statement-id=ac-2.i

      Verify that system access authorizations are based on:

      Statement-id=ac-2.i.1

      A valid access authorization. EVIDENCE: Need access to the system account creation workflows to verify approval of accounts.

      • Need to review completed workflows to verify that user access accounts are authorized.
      Statement-id=ac-2.i.2

      Intended system usage. EVIDENCE: Need access to the system account creation workflows to verify user-intended usage of the system.

      • Need to review completed workflows to verify that user system usage is documented.

      Statement-id=ac-2.j

      Verify that accounts are reviewed for compliance with account management requirements every 6 months. EVIDENCE: Need documentation showing user accounts are reviewed every 6 months.

      • Need to create a workflow where the system administrator notes in the comment box that system user accounts have been reviewed in this 6-month cycle.
        • Need to review completed workflows to verify that system administrators review all user accounts every 6 months.

      Statement-id=ac-2.k

      Verify that there are no group or shared accounts created for accessing Blossom. EVIDENCE: Need access to the system admin console to verify that there are no shared or group system accounts.

      • Need AWS-generated printout of system accounts.
        • Need to review system user accounts and verify that there are no group or shared accounts.

      Statement-id=ac-2.l

      Verify that the Blossom system administrator updates all Blossom user accounts when they are terminated or transferred, where their Blossom account is not required. EVIDENCE: Need access to the system admin console to review account changes.

      • Need AWS-generated, date-specific list of user accounts. Need to verify that when an account change request is received, user accounts are updated.
        • Need to review AWS-generated system user accounts and verify that accounts have been updated.
        • Need to review completed workflows to verify that system account changes have been requested.
  2. AC-3 Account Enforcement

    • AC-3 CFS Reference
    • AC-3 CSRC Reference
    • Goal: Demonstrate logical access enforcement
    • Proofs:
      • Fabric-CA Query of the users currently Enrolled
      • Verify that CA-certificates for these users are Active
      • See un-enrolled users and revoked CA-certs
  3. AC-6 Least Privilege

    • AC-6 CFS Reference
    • AC-6 CSRC Reference
    • Proofs:
      • Roles and privileges mapping confirmation
      • Pull all the roles
      • Pull corresponding privileges
      • Make sure the user-in-roles are not over-endowed with privileges
  4. AC-17 Remote Access

  5. AU-2 Event Logging

  6. AU-3 Content of Audit Records?

  7. IA-2 Identification and Authentication (organizational users)

    • IA-2 CFS Reference
    • IA-2 CSRC Reference
    • Proofs:
      • Listing of separate (individual) identities within the system.
      • Process diagrams of how authentication is achieved.
      • (Note:) This can be a flow diagram.
  8. RA-5 Vulnerability Monitoring and Scanning

    • RA-5 CFS Reference
    • RA-5 CSRC Reference
    • Proofs:
      • Show any tools or platforms that provide vulnerability or configuration compliance information.
      • In the case of Blossom this could include a cloud security platform tools like GuardDuty and Security Hub.
  9. SA-11 Developer Testing and Evaluation

  10. SC-2 Separation of System and User Functionality

  11. SC-5 Denial of Service

  12. SC-7 Boundary protection