Part One: In-Depth Look at PAM Controls for DFARS Requirements

In previous blogs, CyberSheath security analysts have identified new cybersecurity requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Back in March, we identified eight NIST 800-171 requirements where PAM suites can provide an ideal solution. These requirements include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The first of these eight NIST controls is to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)”. In layman’s terms, only give access to those people, processes or devices that have permission or approval. As Yanni previously mentioned, this is the most basic functionality and purpose of a privileged account management solution. What may seem basic to some, it may be complex to others, so let’s break down what limiting access to authorized users looks like using the CyberArk Privileged Account Management solution.

In the context of DFARS, all accounts that provide access to “Covered Defense Information” should be considered privileged and be “vaulted” or stored within the hardened CyberArk database. These accounts are stored in various “safes” according to who should have access to them. For example, anyone with access to “Safe 1” in the image below, will have access to all the accounts within the safe. Safes 2, 3 and 4 would be provisioned separately.

With CyberArk, organizations can provision their employees access to these safes and accounts either directly using their preexisting account such as a personal Windows AD account, or provision an LDAP group of users instead, giving the entire group access. Organizations can implement their own internal approval system so that when a request is complete, it would automatically provide access to CyberArk and the credentials, and subsequently, the Covered Defense Information.

Additional controls can be implemented to lock down authorized access further, including ticketing system integration and time-restrictions. Ticketing system integration adds an additional layer of authorization by ensuring that those employees who have access to accounts can only use them when they have a valid ticket or reason (see example 1 below). Time-restrictions can limit the hours in which employees can access privileged accounts. If an employee attempts to access an account outside of the allowed time frame, they will be unable to access it, and a fully auditable event will be logged (see example 2 below).

Example 1: Ticket Integration

Example 2: Time-Restriction


There are advanced features in the CyberArk suite such as privileged session recording and transparent connections (using credentials without ever seeing them), and they all work on the basic foundation of limiting access to authorized users.

CyberSheath’s security consultants and implementation engineers are well versed in DFARS and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help enable your organization to stay productive while meeting DFARS compliance. Subscribe to our email updates to stay up to date with our DFARS series.