Part One: In-Depth Look at PAM Controls for DFARS Requirements

By Eric Noonan • September 12, 2016

In previous blogs, CyberSheath security analysts have identified new cybersecurity requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Back in March, we identified eight NIST 800-171 requirements where PAM suites can provide an ideal solution. These requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The first of these eight NIST controls is to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)”. In layman’s terms, only give access to those people, processes or devices that have permission or approval. As Yanni previously mentioned, this is the most basic functionality and purpose of a privileged account management solution. What may seem basic to some, it may be complex to others, so let’s break down what limiting access to authorized users looks like using the CyberArk Privileged Account Management solution.

In the context of DFARS, all accounts that provide access to “Covered Defense Information” should be considered privileged and be “vaulted” or stored within the hardened CyberArk database. These accounts are stored in various “safes” according to who should have access to them. For example, anyone with access to “Safe 1” in the image below, will have access to all the accounts within the safe. Safes 2, 3 and 4 would be provisioned separately.


With CyberArk, organizations can provision their employees access to these safes and accounts either directly using their preexisting account such as a personal Windows AD account, or provision an LDAP group of users instead, giving the entire group access. Organizations can implement their own internal approval system so that when a request is complete, it would automatically provide access to CyberArk and the credentials, and subsequently, the Covered Defense Information.

Additional controls can be implemented to lock down authorized access further, including ticketing system integration and time-restrictions. Ticketing system integration adds an additional layer of authorization by ensuring that those employees who have access to accounts can only use them when they have a valid ticket or reason (see example 1 below). Time-restrictions can limit the hours in which employees can access privileged accounts. If an employee attempts to access an account outside of the allowed time frame, they will be unable to access it, and a fully auditable event will be logged (see example 2 below).


Example 1: Ticket Integration


Example 2: Time-Restriction


There are advanced features in the CyberArk suite such as privileged session recording and transparent connections (using credentials without ever seeing them), and they all work on the basic foundation of limiting access to authorized users.

CyberSheath’s security consultants and implementation engineers are well versed in DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to stay productive while meeting DFARS compliance. Subscribe to our email updates to stay up to date with our DFARS series.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft