I have a question regarding Control Enhancement AC-6(3). The control states that the organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs and documents the rationale for such access in the security plan for the information system. Does this mean that every privilege level command has to be listed? Can a general one liner be used that states that privileged functions are limited to those needed for their admin role or something like that? For example Exchange servers Admin are limited to exchange privilege level command? What is the best way to state the authorized privilege level commands in the SSP?
Dr. RMF responds:
JZ, You are correct in saying it would be utterly infeasible to list individual “privileged commands” in the security plan so a general statement will have to do. In this day and age, most systems are hosted by data centers or cloud service providers, thus all access is “network access” – that in itself is the “compelling operational need” for network access to privileged commands. Dr. RMF notes that Control Enhancement AC-6(3) applies only to systems categorized as High for Confidentiality or Integrity, so this situation will occur only in a small minority of information systems.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/.