Securing Infrastructure Access at Scale in Large Enterprises
Dec 12
Virtual
Register Now
Teleport logoTry For Free
Background image
Compliance

Streamlining NIST CSF 2.0 Compliance

What is NIST CSF 2.0 compliance?

NIST Logo

NIST CSF 2.0 (National Institute of Standards and Technology Cybersecurity Framework version 2.0) is a U.S. framework for improving cybersecurity risk management. It guides organizations in identifying, protecting, detecting, responding to, and recovering from cyber threats. This updated framework emphasizes supply chain security, governance, and resilience, offering flexible, risk-based guidelines that help organizations enhance their cybersecurity posture and meet regulatory requirements.

Need NIST CSF 2.0 Help?

Get in touch

Teleport Features for NIST CSF 2.0 Controls

Access Controls

Control Name

ID

Teleport Capability

Account Management

PR.AC-4, DE.CM-1, DE.CM-3

  • Teleport integrates with SSO providers such as GitHub, Okta, Google, etc.
  • Teleport supports role-based access control (RBAC) for SSH and Kubernetes
  • Teleport certificate-based SSH and Kubernetes authentication and audit logging comply with these requirements without additional configuration.
  • Audit events are emitted when a user is created, updated, deleted, locked, or unlocked.

Access Enforcement

PR.AC-4

Teleport supports robust role-based access controls (RBAC). RBAC can be used to:

  • Control which SSH nodes a user can or cannot access.
  • Control cluster-level configuration (session recording, configuration, etc.).
  • Control which UNIX logins a user is allowed to use when logging into a server.
  • Control which user groups have access to Kubernetes resources.

Unsuccessful Logon Attempts

PR.AC

Teleport supports two types of users: local and SSO-based accounts (GitHub, Google Apps, Okta, etc). For local accounts, by default, Teleport locks accounts for 30 minutes after 5 failed login attempts. For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider.

System Use Notifications

PR.AC

Teleport integrates with Linux Pluggable Authentication Modules (PAM). PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive.

Concurrent Session Control

PR.AC

Teleport supports both a maximum number of connections (`max_connections`) and the maximum number of simultaneously connected users (`max_users`) under the `connection_limits` configuration parameter.

Session Termination

PR.AC

Teleport user sessions are automatically terminated when a certificate expires. Users can exit a Teleport interactive session at any time by typing `exit` or sending an interrupt signal to the process for remote execution of a program. Logout of all sessions (destroying credentials) indicates termination of all sessions and includes an explicit logout message.

Remote Access

PR.AC-3

Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity.

Use of External Information Systems

ID.AM-4, PR.AC-3

Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.

Audit & Accountability

Control Name

ID

Teleport Capability

Audit & Accountability

DE.CM-1, DE.CM-3 (AU-12)

Teleport contains an Audit Log that records cluster-wide events such as:

  • Failed login attempts
  • The command that was executed (SSH “exec” commands)
  • Ports that were forwarded
  • File transfers that were initiated
  • Filesystem changes
  • Network activity that happened during an interactive user session
  • Recorded interactive user sessions

Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message.

Teleport supports sending audit events to external managed services such as S3 and DynamoDB where storage concerns are handled by the cloud provider.

Non-Repudiation

PR.PT

Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes, a full session can be replayed back and viewed.

Configuration Management

Control Name

ID

Teleport Capability

Information System Component Inventory

ID.AM-1, ID.AM-2

Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.

Identification and Authentication

Control Name

ID

Teleport Capability

User Identification and Authentication

PR.AC-1

  • Teleport integrates with SSO providers such as GitHub, Okta, Google, etc.
  • Teleport can act as its own SSO provider
  • Teleport can enforce the use of multi-factor authentication (MFA), including requiring per-session MFA
  • Teleport supports PIV-compatible hardware keys

Device Identification and Authentication

PR.AC-1

Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.

Identifier Management

PR.AC-1

Teleport maintains several unique identifiers:

  • The local users are required to be unique (unique username)
  • Teleport roles have unique names and tied to organization roles via SSO
  • Teleport identifiers for devices are unique randomly generated IDs (UUID)

Identification and Authentication (Non-Organizational Users)

PR.AC-1

Teleport supports PIV-compatible hardware keys

System and Communications Protection

Control Name

ID

Teleport Capability

Network Disconnection

PR.PT

Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.

Cryptographic Key Establishment and Management

PR.DS

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Use of Cryptography

PR.DS

Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto). In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.

Public Key Infrastructure Certificates

PR.AC

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Session Authenticity

PR.PT

Teleport SSH and TLS sessions are protected with SSH user and X.509 client certificates. For access to the Web UI, Teleport uses bearer token auth stored in a browser token to authenticate a session. Upon user logout, SSH and TLS certificates are deleted from disk and cookies are removed from the browser.

Additional Resources

Blog Post

Securing Infrastructure in Healthcare: Reducing Breaches and Building Resiliency

Webinar

2024 Secure Infrastructure Access Report: Key Insights and Trends

Webinar

Hardening Infrastructure Security Against SSO Identity Provider Compromise

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started
pam