PRIV: Manage Privileges FAQ

What is the Manage Account Access/Manage Privileges (PRIV) security capability?

The Manage Privileges and Accounts (PRIV) security capability provides agencies insight into risks associated with authorized users being granted excessive privileges to facilities and systems.

What security results should we be able to achieve by implementing PRIV?

The PRIV security capability will help ensure that authorizations and accounts do not exceed the privileges required by a user’s attributes (or specific needs to meet his or her job duties). The capability will also provide insight into whether access authorization and reauthorization policies are incurring more risk than deemed acceptable by an agency.

What type of security issues are addressed by the PRIV security capability?

In a typical agency, privileges are assigned locally based on requests for access. Over time, as jobs and missions change, more privileges are granted to individuals and few are rarely (if ever) removed. The effects of such aggregated privileges across an organization can represent great risk. The more a single account can access significant resources throughout an agency, the more risk it presents to the agency if it is compromised.

What can I do to reduce my exposure to attacks exploiting poor privilege management?

Users are given certain privileges to perform work on systems. These privileges are often denoted by roles, also known as attributes, or security groups to which a user is assigned. To reduce exposure to attacks, an agency must define what access user roles can have. This includes continuously monitoring user accounts to ensure each account matches the user’s duties and does not provide excess privileges. Additionally, through dynamic separation of duties, agencies can reduce internal security threats by preventing specific roles from accessing the same information simultaneously.

Accounts that are no longer in use (e.g., after an employee leaves a position, after test accounts perform a network assessment) should be disabled or deleted, since they are often targeted by attackers to gain unauthorized access.

How does the PRIV security capability define a privilege?

It defines a privilege as a permission to perform an action. For Continuous Diagnostics and Mitigation (CDM), the privileges span both physical (e.g., can enter a server room) and logical (e.g., can browse the Internet) actions.

How does the PRIV security capability support ongoing automated assessments as defined by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations?

The PRIV security capability helps to fulfill the Access Control (AC), Identification and Authentication (IA), Audit and Accountability (AU), System and Communications Protection (SC), and System and Information Integrity (SI) controls of NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

What data should we collect to better prepare to implement the PRIV security capability?

Agencies should collect data associated with each authorization or account issued to a user, including the privileges required for a role, actual roles the user is assigned to or authorized to use, and the locally defined account policies. This will provide measurable data elements for automated security checks. These security checks provide the basis for automating the monitoring, reporting, and prioritization of privilege and account deficiencies in an agency’s cyber environment. CDM will display deficiencies for review and action.

How can I assign managers for the PRIV security capability?

Agencies should collaborate with their designated CDM program point of contact (POC); Identity, Credential, and Access Management (ICAM) program management office; and information security managers to identify individuals responsible for managing users’, including privileged users’, access to information and systems directly associated with their roles.

How can we prevent unauthorized users from getting on the network in the first place?

Accounts that are no longer needed by a user should be disabled or deleted, since they can be targeted by attackers to gain unauthorized access. Example scenarios for this include a user leaving an agency but still having active accounts, or keeping test accounts for network assessment activities running after the assessment is completed. These and other poor management practices create security weaknesses that an attacker could exploit to bypass security controls and gain access to restricted devices or sensitive data.

How does the PRIV security capability support other CDM security capabilities?

The PRIV security capability supports other CDM security capabilities by providing actual state and desired state conditions related to privilege management within an agency. CDM can compare these conditions to determine risk areas agencies need to address.

What is the Master User Record (MUR)?

Each CDM Phase 2 security capability requires data on user attributes (e.g., a user’s roles, security privileges, accounts) to enforce policy and identify defects regarding who is on the network. The MUR serves as a repository for user-related data collected from CDM tools and sensors, and contains a set of attributes or assertions about each user. The MUR stores information for each user that requests access to information, information systems, and facilities. It consolidates a user’s comprehensive set of job functions and system roles and their associated accesses and privileges in one place.