Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The organizational risk management strategy is a key factor in establishing poli

The following controls are related to this control:

* PM-9.
* PM-09

For more information, refer to the NIST Special Publications 800-12 and 800-100.

Expand Down
36 changes: 18 additions & 18 deletions content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ The organization:

### Supplemental Guidance

Information system account types include the following:
Information system account types include the following:

* Individual
* Shared
Expand Down Expand Up @@ -73,27 +73,27 @@ The organization:

The following controls are related to this control:

* AC-3
* AC-4
* AC-5
* AC-6
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-04
* AC-05
* AC-06
* AC-10
* AC-17
* AC-19
* AC-20
* AU-9
* IA-2
* IA-4
* IA-5
* IA-8
* CM-5
* CM-6
* CM-11
* MA-3
* MA-4
* MA-5
* PL-4
* SC-13.
* AU-09
* IA-02
* IA-04
* IA-05
* IA-08
* CM-05
* CM-06
* CM-011
* MA-03
* MA-04
* MA-05
* PL-04
* SC-13

## Responsibility

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
title: "AC-02 (02) Account Management - Removal Of Temporary / Emergency Accounts"
linktitle: "AC-02 (02)"
url: /private-mendix-platform/nist-controls/ac-0202/
description: "Documents the Private Mendix Platform's compliance with the AC-02 (02) control of the NIST 800-53 framework."
weight: 20
---

## Introduction

This document describes how Private Mendix Platform fulfills the AC-02 (02) control.

| Control ID | AC-02 (02) |
| --- | --- |
| Control category | AC - Access Control |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org |

## Control

The information system automatically removes or; disables temporary and emergency accounts after an: organization-defined time period for each type of account.

### Supplemental Guidance

This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator.

## Responsibility

### Customer Responsibility

Private Mendix Platform does not provision temporary or emergency accounts outside of normal pre-provisioning and login (SSO) mechanisms.

## Guidance

### Customer Responsibility

To effectively manage temporary and emergency accounts, organizations should:

* Define specific time limits for each type of account based on operational needs and security requirements.
* Configure the information system to automatically disable or remove these accounts once the defined period expires.
* Regularly review account activity and ensure that no temporary or emergency account remains active beyond its authorized timeframe.
* Document the procedures for account creation, monitoring, and removal to ensure compliance and accountability.
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
title: "AC-02 (07) Account Management - Role-Based Schemes"
linktitle: "AC-02 (07)"
url: /private-mendix-platform/nist-controls/ac-0207/
description: "Documents the Private Mendix Platform's compliance with the AC-02 (07) control of the NIST 800-53 framework."
weight: 20
---

## Introduction

This document describes how Private Mendix Platform fulfills the AC-02 (07) control.

| Control ID | AC-02 (07) |
| --- | --- |
| Control category | AC - Access Control |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org |

## Control

The organization:

* Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
* Monitors privileged role assignments.
* Takes organization-defined actions when privileged role assignments are no longer appropriate.

### Supplemental Guidance

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.

## Responsibility

### Customer Responsibility

Customers are responsible for defining and documenting their organization-specific privileged roles in alignment with job functions and the principle of least privilege, establishing formal processes for requesting, approving, and provisioning privileged access within Private Mendix Platform. They must conduct periodic access reviews to ensure role assignments remain appropriate, and supplement the platform's built-in monitoring audit logging tools to capture a complete trail of privileged role changes.

Additionally, customers are responsible for defining and enforcing actions when privileged access is no longer appropriate — including integrating role revocation with Identity Provider (IdP) workflows to ensure timely de-provisioning upon employee offboarding or role changes, and establishing internal SLAs to govern the timeliness of such actions.

## Guidance

### Customer Responsibility

Privileged access to Private Mendix Platform is controlled through Role-Based Access Control (RBAC) that is driven by the customer's Identity Provider (IdP):

#### Authentication

Users authenticate through the customer's IdP (for example, Azure AD, Entra ID, or other SAML 2.0 or OIDC-compliant provider). The platform does not maintain independent credential stores for end users.

#### Role Assignment through IdP Claims or Groups

The customer's IdP asserts group memberships or role claims during authentication. These IdP groups or claims are mapped to corresponding Private Mendix Platform roles. This ensures that the customer retains centralized control over who holds privileged roles.

#### Access Enforcement

Upon authentication, the platform evaluates the user's IdP-asserted roles and grants or denies access to privileged actions accordingly. Users without the required privileged role mapping cannot access or execute privileged functions.

#### Lifecycle Management

When a user's group membership or role claim is modified or removed in the customer's IdP, their privileged access within Private Mendix Platform and Mendix applications is updated at the next authentication event. This ensures that privilege revocation is handled centrally through the IdP.

## Proof and Remarks

For more information on how Private Mendix Platform manages dynamic roles and groups, see [Dynamic Role Management in Private Mendix Platform](/private-mendix-platform/dynamic-role-management/#role-editing).

{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-1.png" class="no-border" >}}

{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-2.png" class="no-border" >}}

{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-3.png" class="no-border" >}}

{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-4.png" class="no-border" >}}
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Separation of duties addresses the potential for abuse of authorized privileges

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-6
* PE-3
* PE-4
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Remote access controls apply to information systems other than public web server
The following controls are related to this control:

* AC-2
* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-18
* AC-19
* AC-20
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 8
The following controls are related to this control:

* AC-2
* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-17
* AC-19
* CA-3
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ Organizations are cautioned that the need to provide adequate security for mobil

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-7
* AC-18
* AC-20
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ This control does not apply to the use of external information systems to access

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-17
* AC-19
* CA-3
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ This control applies to information that may be restricted in some manner (for e

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)

## Responsibility

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ In accordance with federal laws, Executive Orders, directives, policies, regulat

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-4
* AT-2
* AT-3
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ This document describes how Private Mendix Platform fulfills the AU-09 control.

## Control

### AU-08

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

### Supplemental Guidance
Expand All @@ -27,7 +25,7 @@ The audit information includes all information needed to successfully audit info

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-6
* MP-2
* MP-4
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
title: "AU-09 (02) Protection of Audit Information - Audit Backup on Separate Physical Systems or Components"
linktitle: "AU-09 (02)"
url: /private-mendix-platform/nist-controls/au-0902/
description: "Documents the Private Mendix Platform's compliance with the AU-09 (02) control of the NIST 800-53 framework."
weight: 20
---

## Introduction

This document describes how Private Mendix Platform fulfills the AU-09 (02) control.

| Control ID | AU-09 (02) |
| --- | --- |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org, Customer - Infra |

## Control

The information system backs up audit records at an organization-defined frequency onto a physically different system or system component than the system or component being audited.

### Supplemental Guidance

This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.

The following controls are related to this control:

* AU-04
* AU-05
* AU-11

## Responsibility

### Customer Responsibility

The customer is responsible for implementing this control in an appropriate manner in their organization. This includes establishing audit record backup policies and procedures that ensure logs are regularly replicated to a physically separate system to comply with federal requirements. The customer must ensure that backup destinations, frequencies, and retention periods for audit records are documented, reviewed, and enforced within their environment.

## Guidance

### Customer Responsibility

This control is governed by NIST SP 800-53 Rev 4 and NIST SP 800-92, which establish requirements for the protection and backup of audit information for federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure their audit record backup mechanisms meet the baseline requirements for physical separation and data integrity.

To meet these requirements, the customer must carry out the following actions:

1. Define audit record backup destinations and frequency.

Establish and document where audit records and logs should be backed up to, ensuring the backup target is on a physically different system or system component than the one being audited. The customer must dictate backup frequency, retention periods, and acceptable storage locations in accordance with NIST SP 800-92 guidelines for log management.

2. Ensure infrastructure-level backup configuration.

Direct the Infra Implementer to ensure that audit record backups are properly created, configured, and populated on the designated physically separate system. This includes verifying that backup processes are automated, monitored for failures, and aligned with the organization's contingency planning requirements per NIST SP 800-34.

3. Ensure application-level audit log backup.

Direct the App Implementer to ensure that the Mendix App's custom audit logs are properly directed to the backup system as dictated by the Customer. This includes configuring log forwarding mechanisms within the application to target the designated backup infrastructure and validating that all auditable events are captured in the backup trail.
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The policy can be included as part of the general information security policy fo

The following controls are related to this control:

* PM-9.
* PM-09.

For more information, refer to the NIST Special Publications 800-12, 800-100.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ The policy can be included as part of the general information security policy fo

The following controls are related to this control:

* PM-9
* PM-09

For more information, refer to the NIST Special Publications 800-12 and 800-100.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Restricting non-digital media access includes, for example, denying access to pa

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* IA-2
* MP-4
* PE-2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect

The following controls are related to this control:

* PM-9
* PM-09

For more information, refer to the NIST Special Publications 800-12, 800-18, and 800-100.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following controls are related to this control:
* PM-1
* PM-7
* PM-8
* PM-9
* PM-09
* PM-11
* SA-5
* SA-17
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect

The following controls are related to this control:

* PM-9
* PM-09

For more information, refer to the NIST Special Publications 800-12, 800-30, and 800-100.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ first two steps in the Risk Management Framework. Risk assessments can play an i
The following controls are related to this control:

* RA-2
* PM-9
* PM-09

For more information, refer to OMB Memorandum 04-04; NIST Special Publication 800-30, and 800-39; [IDManagement](https://www.idmanagement.gov/).

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ This control does not address:

The following controls are related to this control:

* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-4
* MP-6

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ This control does not impose any requirements on organizations to use cryptograp
The following controls are related to this control:

* AC-2
* AC-3
* [AC-03](/private-mendix-platform/nist-controls/ac-03/)
* AC-7
* AC-17
* AC-18
Expand Down
Loading