Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible 4 obsolete controls in Cloud Guardrails based on new CCCS ITPS.50.103 recommendations. #26

Open
testpuddle opened this issue Sep 11, 2020 · 1 comment
Open

Possible 4 obsolete controls in Cloud Guardrails based on new CCCS ITPS.50.103 recommendations. #26

testpuddle opened this issue Sep 11, 2020 · 1 comment

Comments

@testpuddle
Copy link

Issue: Four controls referenced in the Government of Canada (GC) Guardrails are not referenced in more recent GC cloud guidance and should possibly be removed.

Background:

The PBMM Cloud Profile V1.1 was published in 2018. The Guardrails referenced these controls.

The Canadian Centre for Cyber Security (CCCS) published recommendations for the ITSP.50.103 Low and Medium Cloud Profiles effective May 2020.

As of 11 Sep 20, the GC Guardrails reference 4 controls which are not contained in the Low or Medium Profiles recommendation issued by the CCCS.

AC-9, AC-20(3), IA-5(13), SA 22

Analysis

The GC Guardrail - "Protect root / global admins account Management of administrative privileges Cloud console access Enterprise monitoring accounts" - references AC-9, AC-20(3), IA-5(13) which are not part of ITSP.50.103.

AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

AC-20(3) USE OF EXTERNAL INFORMATION SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES
The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

IA-5(13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].

The GC Guardrail - "Configuration of Cloud Marketplaces" - references SA-22 which is not part of ITSP.50.103 recommendations.

SA 22 UNSUPPORTED SYSTEM COMPONENTS

The organization:
a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Recommendations

  1. Confirm if the AC-9, AC-20(3), IA-5(13), SA 22 controls are still valid; and
  2. Either remove from the Guardrails or add an annotation indicating that they are in addition to ITPS.50.103 recommendations.

For consideration.
@fmichaelobrien
Copy link
Contributor

reviewing....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@testpuddle @fmichaelobrien