NIST 800-53, FISMA, and SSH

One critical area of the National Institute of Standards and Technology (NIST) responsibility is to establish Cybersecurity standards and guidelines for US Federal government agencies, and the private sector. NIST Special Publication (SP) 800-53 was published to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

NIST SP 800-53 describes the IT security controls federal agencies must implement as required by the Federal Information Security Management (FISMA) Act of 2014 and are widely accepted industry standard best practices, even for commercial entities that are not doing business with the Federal government. It also states that it is important to centrally secure controls for your operations and assets of your organization.

NIST 800-53 and SSH

Security controls described in this publication have a well-defined organization and structure and are broken up into eighteen (18) families of controls. SSH keys access controls crosses multiple families within NIST SP 800-53. To ensure effectiveness of these controls and yet be compliant with the NIST SP 800-53, organizations must not ignore the risks and vulnerabilities introduced due to the lack of security around the management of SSH keys.

Table below reflects a sample of how some of these control families and SSH keys are related:

NIST 800-53SSH Implications
Account ManagementSSH user keys authorize access; make sure they are properly managed. Enhanced auditing is SSH enabled to provide audit trails. Valid authorization before installing keys. SSH keys monitored periodically. Ensure timely rotation of SSH private keys.
Access EnforcementApprovals for key-based access should be enforced. Prevent users from propagating access through new private keys.
Least PrivilegeCommand restrictions configured for SSH keys. SSH keys for privileged accounts configured only if non-privileged account cannot do the task. No unauthorized access to private keys that grant privileged access.
Remote AccessEnforce policies when allowing SSH key-based remote access. Host key management should be required for preventing man-in-the-middle attacks.
Continuous MonitoringSSH-based access should be regularly analyzed.

Ramifications of Non-compliance

Non-compliance with the NIST 800-53 could be catastrophic for government agencies and, from a best practice perspective, have a huge impact on the security programs within the private sector. FISMA holds federal agencies accountable to secure government information. Failure to pass an inspection can result in (to name a few):

  • Significant administrative sanctions
  • Unfavorable publicity
  • Reduction of IT budget.

Recommendations

Adhering to NIST 800-53 controls simply paves the way to compliance with laws and regulations such as FISMA and HIPAA. It also provides the guidelines for the controls required for federal information systems. By the nature of complying simply ensures organizations have effective controls in their efforts protecting what’s important and that their infrastructures are secure.

On that token, organizations must attend to the security around SSH key management. It is no longer enough to address credentials and other types of access and not including the access granted by SSH keys. SSH keys access by default is an elevated type of access so it must be controlled as you would any type of privileged access.

As you navigate our site, you will surely pick up on the risks and vulnerabilities related to poor SSH key management and hopefully walk away with best practice recommendations to help you inventory, control, remediate and govern SSH keys access.

For additional information: