Shared user accounts are used and not documented by the ISSO/IAO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7958	DSN13.03	SV-8444r1_rule	ECSC-1 IAIA-1 IAIA-2	Medium

Description
Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.

Description

Requirement: The IAO will ensure that shared user accounts will not be used. Unless the use of shared user accounts is operationally essential and/or the device in question does not support multiple accounts. The identity of users of DSN components need to be available to the ISSO/IAO through the use of unique usernames assigned to each user. This ensures that the ISSO/IAO is able to hold users accountable for their actions through the analysis of audit records. This type of accountability cannot be accomplished if shared accounts are used.

STIG	Date
Defense Switched Network STIG	2015-01-02

Details

Check Text ( C-7378r1_chk )
Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices.

Fix Text (F-7533r1_fix)
Document shared accounts - i.e., Keep a record of the human user and their assigned username. Shared accounts will only be used if required out of operational necessity and documented by the ISSO/IAO.