AC
AC-01
AC-02
AC-03
AC-04
AC-05
AC-06
AC-07
AC-08
AC-09
AC-10
AC-11
AC-12
AC-13
AC-14
AC-15
AC-16
AC-17 *
AC-18
AC-19
AC-20
AC-21
AC-22
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM
|
base control objective:
The organization:
a. Documents allowed methods of remote access to the information system;
b. Establishes usage restrictions and implementation guidance for each allowed remote access method;
c. Monitors for unauthorized remote access to the information system;
d. Authorizes remote access to the information system prior to connection; and
e. Enforces requirements for remote connections to the information system.
supplemental objective information:
This control requires explicit authorization prior to allowing remote access to an information system without specifying a specific format for that authorization. For example, while the organization may deem it appropriate to use a system interconnection agreement to authorize a given remote access, such agreements are not required by this control. Remote access is any access to an organizational information system by a user (or process acting on behalf of a user) communicating through an external network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. A virtual private network when adequately provisioned with appropriate security controls, may be treated as an internal network (i.e., the organization establishes a network connection between organization-controlled endpoints in a manner that does not require the organization to depend on external networks to protect the confidentiality or integrity of information transmitted across the network). In the case of wireless, because such signals generally radiate beyond the confines and control of organization-controlled facilities, the signals are generally considered to be remote. In some instances, actions may be taken so that wireless communications are confined to the organization-controlled boundaries (e.g., because the nature of the wireless is actually point to point in nature, the power of the wireless is sufficiently reduced that it cannot transit the physical perimeter of the organization, or because the organization has taken measures, such as TEMPEST to ensure the communications are confined to the organization boundary). In those instances, the communications are considered network, not remote. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. Enforcing access restrictions to the information system associated with remote connections is accomplished by control AC-03.
enhancements to the base objective:
(1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.
Enhancement Supplemental Guidance: Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy.
(2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions.
Enhancement Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information.
(3) The information system routes all remote accesses through a limited number of managed access control points.
(4) The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access in the security plan for the information system.
(5) The information system protects wireless access to the system using authentication and encryption.
Enhancement Supplemental Guidance: Authentication applies to user, device, or both as necessary.
(6) The organization monitors for unauthorized remote connections to the information system, including scanning for unauthorized wireless access points [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered.
Enhancement Supplemental Guidance: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to only those areas within the facility containing the information systems, yet is conducted outside of those areas only as needed to verify that unauthorized wireless access points are not connected to the system.
(7) The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
(8) The organization does not allow users to independently configure wireless networking capabilities.
(9) The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
(10) The organization ensures that remote sessions for accessing [Assignment: organization-defined list of security functions and security-relevant information] employ additional security measures [Assignment: organization-defined security measures] and are audited.
Enhancement Supplemental Guidance: Additional security measures are typically above and beyond standard bulk or session layer encryption (e.g., Secure Shell [SSH], Virtual Private Networking [VPN] with blocking mode enabled).
(11) The organization disables peer-to-peer wireless networking capability within the information system except for explicitly identified components in support of specific operational requirements.
(12) The organization disables networking protocols within the information system that the organization deems to be non-secure except for explicitly identified components in support of specific operational requirements.
Enhancement Supplemental Guidance: The organization can either make a determination of the relative security of the networking protocol or base the security decision on the assessment of other entities. Bluetooth is an example of a less than secure networking protocol for wireless applications.
mapping to FIPS199 baseline:
LOW: base
|
MOD: base (1) (2) (3) (4) (5) (10)
|
HIGH: base (1) (2) (3) (4) (5) (6) (10)
|
related (regimented) controls:
AC-03
|
Access Enforcement
|
AC-20
|
Use of External Information Systems
|
IA-02
|
User Identification and Authentication (Organizational Users)
|
IA-03
|
Device Identification and Authentication
|
IA-08
|
Identification and Authentication (Non-Organizational Users)
|
MA-04
|
Non-local Maintenance
|
documents referenced in SP800-53rev3 for AC-17:
Document
|
Date
|
Status
|
Title
|
FIPS 199
|
February, 2004
|
current
|
Standards for Security Categorization of Federal Information and Information Systems
|
FIPS 201-1
|
March, 2006
|
current
|
Personal Identity Verification (PIV) of Federal Employees and Contractors
|
NIST SP800-113
|
July, 2008
|
current
|
Guide to SSL VPNs
|
NIST SP800-24
|
August, 2000
|
current
|
PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
|
NIST SP800-44
|
September 2002
|
current
|
Guidelines on Securing Public Web Servers
|
NIST SP800-45
|
August, 2006
|
DRAFT
|
Guidelines on Electronic Mail Security
|
NIST SP800-46
|
June, 2009
|
current
|
Guide to Enterprise Telework and Remote Access Security
|
NIST SP800-58
|
January, 2005
|
current
|
Security Considerations for Voice Over IP Systems
|
NIST SP800-63
|
April, 2006
|
current
|
Electronic Authentication Guideline
|
NIST SP800-73-part2
|
February, 2010
|
current
|
Interfaces for Personal Identity Verification
|
NIST SP800-76
|
September, 2006
|
DRAFT
|
Biometric Data Specification for Personal Identity Verification
|
NIST SP800-77
|
December, 2005
|
current
|
Guide to IPsec VPNs
|
NIST SP800-78
|
December, 2010
|
current
|
Cryptographic Algorithms and Key Sizes for Personal Identity Verification
|
NIST SP800-87
|
January, 2006
|
current
|
Codes for Identification of Federal and Federally-Assisted Organizations
|
NIST SP800-96
|
September, 2006
|
current
|
PIV Card to Reader Interoperability Guidelines
|
|