Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

NIST 800-53 Rev 4, FISMA, and SSH

US law specifies a minimum information security requirements for information systems used by the federal government. The Federal Information Security Management Act of 2014 (FISMA) authorizes NIST, the National Institute of Standards and Technology, to specify the technical requirements.

FIPS (Federal Information Processing Standard) 200, Minimum Security Requirements for Federal Information and Information Systems, sets out these requirements. This in turn refers to NIST Special Publication 800-53 as the mandatory minimum controls that federal agencies must implement.

NIST SP 800-53 has undergone several revisions as the state of the art and understanding of cyber attacks and defences has improved. It is now at revision 4, also called NIST SP 800-53r4.

The basic purpose of NIST SP 800-53 is to establish cybersecurity standards and guidelines for US Federal government agencies and federal information systems. It is also widely followed in the private sector. It generally represents industry best practice in cybersecurity.

Use of NIST 800-53 is recommended for state, local, and tribal governments and for critical infrastructure maintained by the private sector.

NIST 800-53 controls and SSH

Security controls described in this publication have a well-defined organization and structure and are broken up into several families of controls. SSH key management touches multiple families within NIST SP 800-53. To ensure effectiveness of these controls and yet be compliant with the requirements, organizations must not ignore the risks and vulnerabilities introduced due to the lack of security around the management of SSH keys.

Table below reflects a sample of how some of these control families and SSH keys are related:

NIST 800-53 control familySSH Implications
Account ManagementSSH user keys authorize access; make sure they are properly managed. Enhanced auditing is SSH enabled to provide audit trails. Valid authorization before installing keys. SSH keys monitored periodically. Ensure timely rotation of SSH private keys.
Access EnforcementApprovals for key-based access should be enforced. Prevent users from propagating access through new private keys.
Least PrivilegeCommand restrictions configured for SSH keys. SSH keys for privileged accounts configured only if non-privileged account cannot do the task. No unauthorized access to private keys that grant privileged access.
Remote AccessEnforce policies when allowing SSH key-based remote access. Host key management should be required for preventing man-in-the-middle attacks.
Continuous MonitoringSSH-based access should be regularly analyzed.

NIST 7966 outlines these requirements in more detail and contains a mapping of its recommendations on SSH access control to NIST 800-53 and the NIST Cybersecurity Framework controls.

Ramifications of non-compliance

Non-compliance with the NIST 800-53 could be catastrophic for government agencies and, from a best practice perspective, have a huge impact on the security programs within the private sector. FISMA holds federal agencies accountable to secure government information. Failure to pass an inspection can result in (to name a few):

  • Significant administrative sanctions
  • Unfavorable publicity
  • Reduction of IT budget.

Recommendations

Adhering to NIST 800-53 controls simply paves the way to compliance with laws and regulations such as FISMA and HIPAA. It also provides the guidelines for the controls required for federal information systems. By the nature of complying simply ensures organizations have effective controls in their efforts protecting what’s important and that their infrastructures are secure.

On that token, organizations must attend to the security around SSH key management. It is no longer enough to address credentials and other types of access and not including the access granted by SSH keys. SSH keys access by default is an elevated type of access so it must be controlled as you would any type of privileged access.

As you navigate our site, you will surely pick up on the risks and vulnerabilities related to poor SSH key management and hopefully walk away with best practice recommendations to help you inventory, control, remediate and govern SSH keys access.

Additional information