U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Privileged Account Management for the Financial Services Sector

Monitoring, auditing, and authentication controls can combine to prevent unauthorized access to, and allow rapid detection of, unapproved privileged account use.

Highlighting how organizations can add a security layer between users and the privileged accounts they access

Privileged accounts provide elevated, often unrestricted access to an organization's underlying information systems and technology, making them rich targets for malicious actors. Privileged accounts in the hands of malicious actors can cause significant operational damage including data theft, espionage, sabotage, ransom, or bypassing important safety controls. Organizations can use the Privileged Account Management NIST Cybersecurity Practice Guide to appropriately secure and enforce organizational policies for privileged account use.
Status: Reviewing Comments

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-18: Complete Guide (PDF) (Draft)Document Version NIST SP 1800-18: Complete Guide (PDF) (Draft)
NIST SP 1800-18: Executive Summary (Draft)Document Version NIST SP 1800-18: Executive Summary (Draft)
NIST SP 1800-18B: Approach, Architecture, and Security Characteristics (Draft)Document Version NIST SP 1800-18B: Approach, Architecture, and Security Characteristics (Draft)
NIST SP 1800-18C: How-To Guides (Draft)Document Version NIST SP 1800-18C: How-To Guides (Draft)

Project Abstract

Privileged account management (PAM) is a domain within identity and access management (IdAM) that focuses on monitoring and controlling the use of privileged accounts. Privileged accounts include local and domain administrative accounts, emergency accounts, application management, and service accounts. These powerful accounts provide elevated, often nonrestricted, access to underlying IT resources and technology, which is why external and internal malicious actors seek to gain access to them. It is critical to monitor, audit, control, and manage privileged account usage.  

The reference design highlights how organizations can add a security layer between users and the privileged accounts they access and includes representative use-case scenarios to address specific challenges that the financial services sector faces. The PAM reference design shows how monitoring, auditing, and authentication controls can combine to prevent unauthorized access to, and allow rapid detection of unapproved use of privileged accounts. 

Organizations implementing a Privileged Account Management system are able to protect, monitor, and audit privileged account access, and reduce the possibility of data destruction, data exfiltration, ransomware attacks, and system failure.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home