AC-2(5) / AC-2(13) / A.9.2.5 / CIS-5.3 NIST SP 800-53 Rev 5

Vendor remote access is time-bound + ticketed

Demonstrate that all vendor remote access is provisioned through a documented ticketing system with time-bound expiration, and that access is consistently revoked upon ticket closure or timeframe expiration.

Description

What this control does

This control ensures that third-party vendors and service providers are granted remote access to organizational systems only for explicitly defined time periods and through a formal ticketing or request mechanism. Access is provisioned based on documented business need, automatically expires or is revoked after the approved window, and is traceable to a specific service request or incident ticket. This prevents indefinite vendor access from becoming a persistent attack vector and ensures accountability for all remote vendor sessions.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Vendor accounts with indefinite access persist after business need ends, expanding the attack surface for credential compromise
Unauthorized or undocumented vendor access occurs without detection due to lack of formal request tracking
Compromised vendor credentials provide long-term persistent access for threat actors to conduct reconnaissance or establish backdoors
Former vendor employees retain access credentials after contract termination or personnel changes
Vendor session activity cannot be correlated to legitimate business justification during incident investigation
Excessive access duration enables lateral movement or privilege escalation that would be prevented by shorter session windows
Lack of time-bound controls creates audit trail gaps preventing reconstruction of who accessed what systems and when

Testing procedure

How an auditor verifies this control

Obtain the vendor access management policy and procedures documentation defining time-bound and ticketing requirements
Generate a complete inventory of all active vendor remote access accounts, credentials, and VPN profiles from identity management systems, VPN concentrators, and PAM solutions
Select a representative sample of 15-25 vendor access instances spanning different vendors, access types, and time periods
For each sampled access instance, retrieve the originating service ticket, change request, or access request record from the ticketing system
Verify that each ticket documents the business justification, requested access duration, approval chain, and authorized timeframe
Compare the provisioned access start and end dates in technical systems against the approved timeframe documented in tickets
Review system logs or PAM session recordings to confirm that access was actually revoked or disabled when tickets closed or time windows expired
Test access expiration controls by identifying at least three closed tickets and verifying the associated vendor accounts are disabled or credentials invalidated

Evidence required Collect vendor access management policies, complete exports of active vendor accounts from IAM/PAM platforms with creation and expiration timestamps, sample service tickets or change requests with approval workflows and time boundaries, VPN or remote access gateway configuration showing session timeout settings, access provisioning and deprovisioning logs correlated to ticket numbers, and screenshots demonstrating disabled accounts for expired access requests.

Pass criteria All sampled vendor remote access instances are documented in formal tickets with defined time boundaries, technical access controls enforce or track the approved timeframes, and access is consistently revoked within 24 hours of ticket closure or timeframe expiration.

Where this control is tested

Audit programs including this control

Safety Systems & Vendor Remote Access

Safety Instrumented Systems (SIS) and vendor remote access are the two paths most likely to take a plant…