Privileged Account Management

Current Status

This project is currently seeking technology vendors to participate in the development of an example solution. Please see our Federal Register notice for more information. After reviewing the notice, if you as a technology provider are interested in providing products and technical expertise as a collaborator on the reference design for this project, please send an email to financial_nccoe@nist.gov requesting a Letter of Interest template.

Download the Privileged Account Management: Securing Privileged Accounts draft project description for more information on the project.

Summary

The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to provide guidance on and demonstrate the secure usage and management of privileged accounts, also referred to as Privileged Account Management (PAM). This project will include the development of a reference design and use commercially available technologies to develop an example solution that will help financial sector companies implement stronger controls for privileged account security.

PAM is the aspect of identity and access management that addresses administrative accounts/users within an organization. Complex organizations, including financial services companies, face challenges managing privileged accounts  These challenges include:

  • controlling and monitoring (and auditing) use of these accounts
  • ensuring personal accountability among privileged users
  • enforcing least privilege and separation of duties policies

This is especially problematic as many privileged accounts provide the “keys to the kingdom” for attackers or malicious insiders because these accounts provide elevated, often unrestricted, access to corporate resources and critical systems (e.g. “crown jewels”), beyond what a regular user would have. Past successful cyber-attacks have made use of privileged accounts to gain access to information or systems of interest resulting in data breaches.

This project focuses on the control of privileged account use to enable organizations to enforce access policies for users without compromising their ability to perform job tasks. Improved control and management of privileged accounts can limit the access any single individual or malicious actor has to systems and data, thereby improving an organization’s cybersecurity posture. The scope of the project will include management and control of privileged accounts used to administer the IT infrastructure. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.

Join Our Community of Interest

Interested in joining the Privileged Account Management Community of Interest? Contact us!

A Community of Interest is a group of professionals and technical advisors convened to support the cybersecurity resiliency of the U.S. economy. Read More.

News and Events

NCCoE Kicks Off Three New Projects
October 12, 2017