cloud-guardrails icon indicating copy to clipboard operation
cloud-guardrails copied to clipboard

Published 20 hours ago verified publisher icon canada-ca

Possible 4 obsolete controls in Cloud Guardrails based on new CCCS ITPS.50.103 recommendations.

Open testpuddle opened this issue 4 years ago • 1 comments

Issue: Four controls referenced in the Government of Canada (GC) Guardrails are not referenced in more recent GC cloud guidance and should possibly be removed.

Background:

The PBMM Cloud Profile V1.1 was published in 2018. The Guardrails referenced these controls.

The Canadian Centre for Cyber Security (CCCS) published recommendations for the ITSP.50.103 Low and Medium Cloud Profiles effective May 2020.

As of 11 Sep 20, the GC Guardrails reference 4 controls which are not contained in the Low or Medium Profiles recommendation issued by the CCCS.

AC-9, AC-20(3), IA-5(13), SA 22

Analysis

The GC Guardrail - "Protect root / global admins account Management of administrative privileges Cloud console access Enterprise monitoring accounts" - references AC-9, AC-20(3), IA-5(13) which are not part of ITSP.50.103.

AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

AC-20(3) USE OF EXTERNAL INFORMATION SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

IA-5(13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].

The GC Guardrail - "Configuration of Cloud Marketplaces" - references SA-22 which is not part of ITSP.50.103 recommendations.

SA 22 UNSUPPORTED SYSTEM COMPONENTS

The organization: a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Recommendations

  1. Confirm if the AC-9, AC-20(3), IA-5(13), SA 22 controls are still valid; and
  2. Either remove from the Guardrails or add an annotation indicating that they are in addition to ITPS.50.103 recommendations.

For consideration.

testpuddle avatar Sep 11 '20 13:09 testpuddle

reviewing....

fmichaelobrien avatar Apr 22 '22 14:04 fmichaelobrien