The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency].
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
The information system implements multifactor authentication for network access to privileged accounts.
The information system implements multifactor authentication for network access to non-privileged accounts.
The information system implements multifactor authentication for local access to privileged accounts.
The information system implements multifactor authentication for local access to non-privileged accounts.
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services].
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.
[Withdrawn: Incorporated into IA-3 (1)].
The organization: (a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and (b) Audits lease information when assigned to a device.
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process].
The organization manages information system identifiers by: a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; b. Selecting an identifier that identifies an individual, group, role, or device; c. Assigning the identifier to the intended individual, group, role, or device; d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.
The organization requires that the registration process to receive an individual identifier includes supervisor authorization.
The organization requires multiple forms of certification of individual identification be presented to the registration authority.
The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
The information system dynamically manages identifiers.
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.
The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.
The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changingefreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for groupole accounts when membership to those accounts changes.
The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only cryptographically-protected passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
The information system dynamically provisions identities.
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
The organization uses only FICAM-approved path discovery and validation products and services.
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
The information system accepts only FICAM-approved third-party credentials.
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.
The information system conforms to FICAM-issued profiles.
The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].
The organization ensures that service providers receive, validate, and transmit identification and authentication information.
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].