Title

Shared user accounts are used and not documented by the ISSO/IAO. (Cat II impact)

Discussion

Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix Text

Document shared accounts - i.e., Keep a record of the human user and their assigned username. Shared accounts will only be used if required out of operational necessity and documented by the ISSO/IAO.

Additional Identifiers

Rule ID: SV-8444r1_rule

Vulnerability ID: V-7958

Group Title: Shared user accounts are used and not documented.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.