SPARC

Identification and Authentication

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 90

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

IA-1

Identification and Authentication Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibil...

► View parameters

Param ID	Label	Constraint / Choices
ia-1_prm_1	organization-defined personnel or roles	Organization-defined
ia-1_prm_2	organization-defined frequency	Organization-defined
ia-1_prm_3	organization-defined frequency	Organization-defined

—

IA-2

Identification and Authentication (organizational Users)

—

IA-2(1)

Network Access to Privileged Accounts

The information system implements multifactor authentication for network access to privileged accounts.

—

IA-2(2)

Network Access to Non-privileged Accounts

The information system implements multifactor authentication for network access to non-privileged accounts.

—

IA-2(3)

Local Access to Privileged Accounts

The information system implements multifactor authentication for local access to privileged accounts.

—

IA-2(4)

Local Access to Non-privileged Accounts

The information system implements multifactor authentication for local access to non-privileged accounts.

—

IA-2(5)

Group Authentication

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

—

IA-2(6)

Network Access to Privileged Accounts - Separate Device 1 param

The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access a...

► View parameters

Param ID	Label	Constraint / Choices
ia-2.6_prm_1	organization-defined strength of mechanism requirements	Organization-defined

—

IA-2(7)

Network Access to Non-privileged Accounts - Separate Device 1 param

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining acce...

► View parameters

Param ID	Label	Constraint / Choices
ia-2.7_prm_1	organization-defined strength of mechanism requirements	Organization-defined

—

IA-2(8)

Network Access to Privileged Accounts - Replay Resistant 1 param

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

► View parameters

Param ID	Label	Constraint / Choices
ia-02.08_odp		Select one-or-more: privileged accounts; non-privileged accounts

—

IA-2(9)

Network Access to Non-privileged Accounts - Replay Resistant

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

—

IA-2(10)

Single Sign-on 1 param

The information system provides a single sign-on capability for {{ insert: param, ia-2.10_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-2.10_prm_1	organization-defined information system accounts and services	Organization-defined

—

IA-2(11)

Remote Access - Separate Device 1 param

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the syste...

► View parameters

Param ID	Label	Constraint / Choices
ia-2.11_prm_1	organization-defined strength of mechanism requirements	Organization-defined

—

IA-2(12)

Acceptance of PIV Credentials

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

—

IA-2(13)

Out-of-band Authentication 2 params

The information system implements {{ insert: param, ia-2.13_prm_1 }} under {{ insert: param, ia-2.13_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-2.13_prm_1	organization-defined out-of-band authentication	Organization-defined
ia-2.13_prm_2	organization-defined conditions	Organization-defined

—

IA-3

Device Identification and Authentication 2 params

The information system uniquely identifies and authenticates {{ insert: param, ia-3_prm_1 }} before establishing a {{ insert: param, ia-3_prm_2 }} connection.

► View parameters

Param ID	Label	Constraint / Choices
ia-3_prm_1	organization-defined specific and/or types of devices	Organization-defined
ia-3_prm_2		Select one-or-more: local; remote; network

—

IA-3(1)

Cryptographic Bidirectional Authentication 2 params

The information system authenticates {{ insert: param, ia-3.1_prm_1 }} before establishing {{ insert: param, ia-3.1_prm_2 }} connection using bidirectional authentication that is cryptographically ...

► View parameters

Param ID	Label	Constraint / Choices
ia-3.1_prm_1	organization-defined specific devices and/or types of devices	Organization-defined
ia-3.1_prm_2		Select one-or-more: local; remote; network

—

IA-3(2)

Cryptographic Bidirectional Network Authentication

—

IA-3(3)

Dynamic Address Allocation 1 param

The organization: (a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_prm_1 }}; and (b) Audits l...

► View parameters

Param ID	Label	Constraint / Choices
ia-3.3_prm_1	organization-defined lease information and lease duration	Organization-defined

—

IA-3(4)

Device Attestation 1 param

The organization ensures that device identification and authentication based on attestation is handled by {{ insert: param, ia-3.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-3.4_prm_1	organization-defined configuration management process	Organization-defined

—

IA-4

Identifier Management 3 params

The organization manages information system identifiers by: a. Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier; b. Select...

► View parameters

Param ID	Label	Constraint / Choices
ia-4_prm_1	organization-defined personnel or roles	Organization-defined
ia-4_prm_2	organization-defined time period	Organization-defined
ia-4_prm_3	organization-defined time period of inactivity	Organization-defined

—

IA-4(1)

Prohibit Account Identifiers as Public Identifiers

The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.

—

IA-4(2)

Supervisor Authorization

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

—

IA-4(3)

Multiple Forms of Certification

The organization requires multiple forms of certification of individual identification be presented to the registration authority.

—

IA-4(4)

Identify User Status 1 param

The organization manages individual identifiers by uniquely identifying each individual as {{ insert: param, ia-4.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-4.4_prm_1	organization-defined characteristic identifying individual status	Organization-defined

—

IA-4(5)

Dynamic Management

The information system dynamically manages identifiers.

—

IA-4(6)

Cross-organization Management 1 param

The organization coordinates with {{ insert: param, ia-4.6_prm_1 }} for cross-organization management of identifiers.

► View parameters

Param ID	Label	Constraint / Choices
ia-4.6_prm_1	organization-defined external organizations	Organization-defined

—

IA-4(7)

In-person Registration

The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.

—

IA-5

Authenticator Management 1 param

The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving th...

► View parameters

Param ID	Label	Constraint / Choices
ia-5_prm_1	organization-defined time period by authenticator type	Organization-defined

—

IA-5(1)

Password-based Authentication 4 params

The information system, for password-based authentication: (a) Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }}; (b) Enforces at least the following number of changed c...

► View parameters

Param ID	Label	Constraint / Choices
ia-5.1_prm_1	organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type	Organization-defined
ia-5.1_prm_2	organization-defined number	Organization-defined
ia-5.1_prm_3	organization-defined numbers for lifetime minimum, lifetime maximum	Organization-defined
ia-5.1_prm_4	organization-defined number	Organization-defined

—

IA-5(2)

Pki-based Authentication

The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate st...

—

IA-5(3)

In-person or Trusted Third-party Registration 4 params

The organization requires that the registration process to receive {{ insert: param, ia-5.3_prm_1 }} be conducted {{ insert: param, ia-5.3_prm_2 }} before {{ insert: param, ia-5.3_prm_3 }} with aut...

► View parameters

Param ID	Label	Constraint / Choices
ia-5.3_prm_1	organization-defined types of and/or specific authenticators	Organization-defined
ia-5.3_prm_2		Select one: in person; by a trusted third party
ia-5.3_prm_3	organization-defined registration authority	Organization-defined
ia-5.3_prm_4	organization-defined personnel or roles	Organization-defined

—

IA-5(4)

Automated Support for Password Strength Determination 1 param

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy {{ insert: param, ia-5.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.4_prm_1	organization-defined requirements	Organization-defined

—

IA-5(5)

Change Authenticators Prior to Delivery

The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

—

IA-5(6)

Protection of Authenticators

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

—

IA-5(7)

No Embedded Unencrypted Static Authenticators

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

—

IA-5(8)

Multiple Information System Accounts 1 param

The organization implements {{ insert: param, ia-5.8_prm_1 }} to manage the risk of compromise due to individuals having accounts on multiple information systems.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.8_prm_1	organization-defined security safeguards	Organization-defined

—

IA-5(9)

Cross-organization Credential Management 1 param

The organization coordinates with {{ insert: param, ia-5.9_prm_1 }} for cross-organization management of credentials.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.9_prm_1	organization-defined external organizations	Organization-defined

—

IA-5(10)

Dynamic Credential Association

The information system dynamically provisions identities.

—

IA-5(11)

Hardware Token-based Authentication 1 param

The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.11_prm_1	organization-defined token quality requirements	Organization-defined

—

IA-5(12)

Biometric-based Authentication 1 param

The information system, for biometric-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.12_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.12_prm_1	organization-defined biometric quality requirements	Organization-defined

—

IA-5(13)

Expiration of Cached Authenticators 1 param

The information system prohibits the use of cached authenticators after {{ insert: param, ia-5.13_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-5.13_prm_1	organization-defined time period	Organization-defined

—

IA-5(14)

Managing Content of PKI Trust Stores

The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, op...

—

IA-5(15)

Ficam-approved Products and Services

The organization uses only FICAM-approved path discovery and validation products and services.

—

IA-6

Authenticator Feedback

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

—

IA-7

Cryptographic Module Authentication

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations,...

—

IA-8

Identification and Authentication (non-organizational Users)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

—

IA-8(1)

Acceptance of PIV Credentials from Other Agencies

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

—

IA-8(2)

Acceptance of Third-party Credentials

The information system accepts only FICAM-approved third-party credentials.

—

IA-8(3)

Use of Ficam-approved Products 1 param

The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials.

► View parameters

Param ID	Label	Constraint / Choices
ia-8.3_prm_1	organization-defined information systems	Organization-defined

—

IA-8(4)

Use of Ficam-issued Profiles 1 param

The information system conforms to FICAM-issued profiles.

► View parameters

Param ID	Label	Constraint / Choices
ia-08.04_odp	identity management profiles	identity management profiles are defined;

—

IA-8(5)

Acceptance of PIV-I Credentials

The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.

—

IA-9

Service Identification and Authentication 2 params

The organization identifies and authenticates {{ insert: param, ia-9_prm_1 }} using {{ insert: param, ia-9_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-9_prm_1	organization-defined information system services	Organization-defined
ia-9_prm_2	organization-defined security safeguards	Organization-defined

—

IA-9(1)

Information Exchange

The organization ensures that service providers receive, validate, and transmit identification and authentication information.

—

IA-9(2)

Transmission of Decisions 1 param

The organization ensures that identification and authentication decisions are transmitted between {{ insert: param, ia-9.2_prm_1 }} consistent with organizational policies.

► View parameters

Param ID	Label	Constraint / Choices
ia-9.2_prm_1	organization-defined services	Organization-defined

—

IA-10

Adaptive Identification and Authentication 2 params

The organization requires that individuals accessing the information system employ {{ insert: param, ia-10_prm_1 }} under specific {{ insert: param, ia-10_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-10_prm_1	organization-defined supplemental authentication techniques or mechanisms	Organization-defined
ia-10_prm_2	organization-defined circumstances or situations	Organization-defined

—

IA-11

Re-authentication 1 param

The organization requires users and devices to re-authenticate when {{ insert: param, ia-11_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-11_prm_1	organization-defined circumstances or situations requiring re-authentication	Organization-defined

—

└ ia-1a

Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:

—

└ ia-1a.1

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organ...

—

└ ia-1a.2

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication contro...

—

└ ia-1b

Reviews and updates the current:

—

└ ia-1b.1

Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and

—

└ ia-1b.2

Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}.

—

└ ia-3.3.(a)

Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_pr...

—

└ ia-3.3.(b)

Audits lease information when assigned to a device.

—

└ ia-4a

Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;

—

└ ia-4b

Selecting an identifier that identifies an individual, group, role, or device;

—

└ ia-4c

Assigning the identifier to the intended individual, group, role, or device;

—

└ ia-4d

Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and

—

└ ia-4e

Disabling the identifier after {{ insert: param, ia-4_prm_3 }}.

—

└ ia-5.1.(a)

Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};

—

└ ia-5.1.(b)

Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};

—

└ ia-5.1.(c)

Stores and transmits only cryptographically-protected passwords;

—

└ ia-5.1.(d)

Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};

—

└ ia-5.1.(e)

Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and

—

└ ia-5.1.(f)

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

—

└ ia-5.2.(a)

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status infor...

—

└ ia-5.2.(b)

Enforces authorized access to the corresponding private key;

—

└ ia-5.2.(c)

Maps the authenticated identity to the account of the individual or group; and

—

└ ia-5.2.(d)

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the ...

—

└ ia-5a

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

—

└ ia-5b

Establishing initial authenticator content for authenticators defined by the organization;

—

└ ia-5c

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

—

└ ia-5d

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and...

—

└ ia-5e

Changing default content of authenticators prior to information system installation;

—

└ ia-5f

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

—

└ ia-5g

Changing/refreshing authenticators {{ insert: param, ia-5_prm_1 }};

—

└ ia-5h

Protecting authenticator content from unauthorized disclosure and modification;

—

└ ia-5i

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

—

└ ia-5j

Changing authenticators for group/role accounts when membership to those accounts changes.

—