NIST 800-53 SSH key management requirements
US law specifies a minimum information security requirements for information systems used by the federal government. The Federal Information Security Management Act of 2014 (FISMA) authorizes NIST, the National Institute of Standards and Technology, to specify the technical requirements.
FIPS (Federal Information Processing Standard) 200, Minimum Security Requirements for Federal Information and Information Systems, sets out these requirements. This in turn refers to NIST Special Publication 800-53 as the mandatory minimum controls that federal agencies must implement.
NIST SP 800-53 has undergone several revisions as the state of the art and understanding of cyber attacks and defences has improved. It is now at revision 4, also called NIST SP 800-53r4.
The basic purpose of NIST SP 800-53 is to establish cybersecurity standards and guidelines for US Federal government agencies and federal information systems. It is also widely followed in the private sector. It generally represents industry best practice in cybersecurity.
Use of NIST 800-53 is recommended for state, local, and tribal governments and for critical infrastructure maintained by the private sector.
Contents
NIST 800-53 controls and SSH Ramifications of non-compliance Recommendations Additional informationNIST 800-53 controls and SSH
Security controls described in this publication have a well-defined organization and structure and are broken up into several families of controls. SSH key management touches multiple families within NIST SP 800-53. To ensure effectiveness of these controls and yet be compliant with the requirements, organizations must not ignore the risks and vulnerabilities introduced due to the lack of security around the management of SSH keys.
Table below reflects a sample of how some of these control families and SSH keys are related:
NIST 800-53 control family | SSH Implications |
---|---|
Account Management | SSH user keys authorize access; make sure they are properly managed. Enhanced auditing is SSH enabled to provide audit trails. Valid authorization before installing keys. SSH keys monitored periodically. Ensure timely rotation of SSH private keys. |
Access Enforcement | Approvals for key-based access should be enforced. Prevent users from propagating access through new private keys. |
Least Privilege | Command restrictions configured for SSH keys. SSH keys for privileged accounts configured only if non-privileged account cannot do the task. No unauthorized access to private keys that grant privileged access. |
Remote Access | Enforce policies when allowing SSH key-based remote access. Host key management should be required for preventing man-in-the-middle attacks. |
Continuous Monitoring | SSH-based access should be regularly analyzed. |
NIST 7966 outlines these requirements in more detail and contains a mapping of its recommendations on SSH access control to NIST 800-53 and the NIST Cybersecurity Framework controls.
Ramifications of non-compliance
Non-compliance with the NIST 800-53 could be catastrophic for government agencies and, from a best practice perspective, have a huge impact on the security programs within the private sector. FISMA holds federal agencies accountable to secure government information. Failure to pass an inspection can result in (to name a few):
Significant administrative sanctions
Unfavorable publicity
Reduction of IT budget.
Recommendations
Adhering to NIST 800-53 controls simply paves the way to compliance with laws and regulations such as FISMA and HIPAA. It also provides the guidelines for the controls required for federal information systems. By the nature of complying simply ensures organizations have effective controls in their efforts protecting what’s important and that their infrastructures are secure.
On that token, organizations must attend to the security around SSH key management. It is no longer enough to address credentials and other types of access and not including the access granted by SSH keys. SSH keys access by default is an elevated type of access so it must be controlled as you would any type of privileged access.
As you navigate our site, you will surely pick up on the risks and vulnerabilities related to poor SSH key management and hopefully walk away with best practice recommendations to help you inventory, control, remediate and govern SSH keys access.