Title

DSN capability to restrict user access based on duty hours must be used when available. (Cat III impact)

Discussion

User access should be restricted based on duty hours, where technically feasible. The restriction of user access by limiting access to the DSN associated to the users work hours and workweek will mitigate security vulnerabilities if a user account is compromised. If available, technically feasible (i.e., the system is capable of performing the restriction), and implemented, this option provides additional access control to the system.

Check Content

Review site documentation to confirm DSN capability to restrict user access based on duty hours is available. If the DRSN capability to restrict user access based on duty hours is not used when available, this is a finding.

Fix Text

Implement the DSN capability to restrict user access based on duty hours when available. If the time of day (TOD) access restriction function is available through the DSN/DRSN system, it should be provisioned to allow user access within a specified window. For example, if a user is assigned to work on a DSN component Monday through Friday 8 am – 5 pm, these are the hours the DSN component will allow that user to gain access.

Additional Identifiers

Rule ID: SV-8426r2_rule

Vulnerability ID: V-7940

Group Title: Duty hour restriction

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.