💼 AC-2 Account Management (L)(M)(H)
- Contextual name: 💼 AC-2 Account Management (L)(M)(H)
- ID:
/frameworks/fedramp-low-security-controls/ac/02 - Located in: 💼 Access Control
Description
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
- Authorized users of the system;
- Group and role membership; and
- Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
- [FedRAMP Assignment: twenty-four (24) hours] when accounts are no longer required;
- [FedRAMP Assignment: eight (8) hours] when users are terminated or transferred; and
- [FedRAMP Assignment: eight (8) hours] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
- A valid access authorization;
- Intended system usage; and
- [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [FedRAMP Assignment: quarterly for privileged access, annually for non-privileged access];
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
Similar
- Sections
/frameworks/nist-sp-800-53-r5/ac/02/frameworks/fedramp-high-security-controls/ac/02
- Internal
- ID:
dec-c-ca47f9bb
- ID:
Similar Sections (Take Policies From)
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| 💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H) | 10 | 8 | 35 | |
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management | 13 | 20 | 34 |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (4)
| Policy | Logic Count | Flags |
|---|---|---|
| 📝 AWS IAM Policy allows full administrative privileges 🟢 | 1 | 🟢 x6 |
| 📝 AWS IAM User has inline or directly attached policies 🟢 | 1 | 🟠 x1, 🟢 x5 |
| 📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢 | 1 | 🟢 x6 |
| 📝 Google GCE Instance OS Login is not enabled 🟢 | 1 | 🟢 x6 |