SPARC

Identification and Authentication

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 127

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

IA-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}: 1. {{ insert: param, ia-01_odp.03 }} identification and authentication policy that: (a) Addresses purpose, scop...

► View parameters

Param ID	Label	Constraint / Choices
ia-1_prm_1	organization-defined personnel or roles	Organization-defined
ia-01_odp.01	personnel or roles	personnel or roles to whom the identification and authentication policy is to be disseminated are defined;
ia-01_odp.02	personnel or roles	personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;
ia-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ia-01_odp.04	official	an official to manage the identification and authentication policy and procedures is defined;
ia-01_odp.05	frequency	the frequency at which the current identification and authentication policy is reviewed and updated is defined;
ia-01_odp.06	events	events that would require the current identification and authentication policy to be reviewed and updated are defined;
ia-01_odp.07	frequency	the frequency at which the current identification and authentication procedures are reviewed and updated is defined;
ia-01_odp.08	events	events that would require identification and authentication procedures to be reviewed and updated are defined;

—

IA-02

Identification and Authentication (Organizational Users)

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

—

IA-02(01)

Multi-factor Authentication to Privileged Accounts

Implement multi-factor authentication for access to privileged accounts.

—

IA-02(02)

Multi-factor Authentication to Non-privileged Accounts

Implement multi-factor authentication for access to non-privileged accounts.

—

IA-02(03)

Local Access to Privileged Accounts

—

IA-02(04)

Local Access to Non-privileged Accounts

—

IA-02(05)

Individual Authentication with Group Authentication

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

—

IA-02(06)

Access to Accounts —separate Device 3 params

Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that: (a) One of the factors is provided by a device separate fr...

► View parameters

Param ID	Label	Constraint / Choices
ia-02.06_odp.01		Select one-or-more: local; network; remote
ia-02.06_odp.02		Select one-or-more: privileged accounts; non-privileged accounts
ia-02.06_odp.03	strength of mechanism requirements	the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts...

—

IA-02(07)

Network Access to Non-privileged Accounts — Separate Device

—

IA-02(08)

Access to Accounts — Replay Resistant 1 param

Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-02.08_odp		Select one-or-more: privileged accounts; non-privileged accounts

—

IA-02(09)

Network Access to Non-privileged Accounts — Replay Resistant

—

IA-02(10)

Single Sign-on 1 param

Provide a single sign-on capability for {{ insert: param, ia-02.10_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-02.10_odp	system accounts and services	system accounts and services for which a single sign-on capability must be provided are defined;

—

IA-02(11)

Remote Access — Separate Device

—

IA-02(12)

Acceptance of PIV Credentials

Accept and electronically verify Personal Identity Verification-compliant credentials.

—

IA-02(13)

Out-of-band Authentication 2 params

Implement the following out-of-band authentication mechanisms under {{ insert: param, ia-02.13_odp.02 }}: {{ insert: param, ia-02.13_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-02.13_odp.01	out-of-band authentication	out-of-band authentication mechanisms to be implemented are defined;
ia-02.13_odp.02	conditions	conditions under which out-of-band authentication is to be implemented are defined;

—

IA-03

Device Identification and Authentication 2 params

Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection.

► View parameters

Param ID	Label	Constraint / Choices
ia-03_odp.01	devices and/or types of devices	devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defi...
ia-03_odp.02		Select one-or-more: local; remote; network

—

IA-03(01)

Cryptographic Bidirectional Authentication 2 params

Authenticate {{ insert: param, ia-03.01_odp.01 }} before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.

► View parameters

Param ID	Label	Constraint / Choices
ia-03.01_odp.01	devices and/or types of devices	devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticat...
ia-03.01_odp.02		Select one-or-more: local; remote; network

—

IA-03(02)

Cryptographic Bidirectional Network Authentication

—

IA-03(03)

Dynamic Address Allocation 3 params

(a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_prm_...

► View parameters

Param ID	Label	Constraint / Choices
ia-3.3_prm_1	organization-defined lease information and lease duration	Organization-defined
ia-03.03_odp.01	lease information	lease information to be employed to standardize dynamic address allocation for devices is defined;
ia-03.03_odp.02	lease duration	lease duration to be employed to standardize dynamic address allocation for devices is defined;

—

IA-03(04)

Device Attestation 1 param

Handle device identification and authentication based on attestation by {{ insert: param, ia-03.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-03.04_odp	configuration management process	configuration management process to be employed to handle device identification and authentication based on attestati...

—

IA-04

Identifier Management 2 params

Manage system identifiers by: a. Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier; b. Selecting an identifier t...

► View parameters

Param ID	Label	Constraint / Choices
ia-04_odp.01	personnel or roles	personnel or roles from whom authorization must be received to assign an identifier are defined;
ia-04_odp.02	time period	a time period for preventing reuse of identifiers is defined;

—

IA-04(01)

Prohibit Account Identifiers as Public Identifiers

Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.

—

IA-04(02)

Supervisor Authorization

—

IA-04(03)

Multiple Forms of Certification

—

IA-04(04)

Identify User Status 1 param

Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-04.04_odp	characteristics	characteristics used to identify individual status is defined;

—

IA-04(05)

Dynamic Management 1 param

Manage individual identifiers dynamically in accordance with {{ insert: param, ia-04.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-04.05_odp	dynamic identifier policy	a dynamic identifier policy for managing individual identifiers is defined;

—

IA-04(06)

Cross-organization Management 1 param

Coordinate with the following external organizations for cross-organization management of identifiers: {{ insert: param, ia-04.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-04.06_odp	external organizations	external organizations with whom to coordinate the cross-organization management of identifiers are defined;

—

IA-04(07)

In-person Registration

—

IA-04(08)

Pairwise Pseudonymous Identifiers

Generate pairwise pseudonymous identifiers.

—

IA-04(09)

Attribute Maintenance and Protection 1 param

Maintain the attributes for each uniquely identified individual, device, or service in {{ insert: param, ia-04.09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-04.09_odp	protected central storage	protected central storage used to maintain the attributes for each uniquely identified individual, device, or service...

—

IA-05

Authenticator Management 2 params

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b....

► View parameters

Param ID	Label	Constraint / Choices
ia-05_odp.01	time period by authenticator type	a time period for changing or refreshing authenticators by authenticator type is defined;
ia-05_odp.02	events	events that trigger the change or refreshment of authenticators are defined;

—

IA-05(01)

Password-based Authentication 2 params

For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwo...

► View parameters

Param ID	Label	Constraint / Choices
ia-05.01_odp.01	frequency	the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;
ia-05.01_odp.02	composition and complexity rules	authenticator composition and complexity rules are defined;

—

IA-05(02)

Public Key-based Authentication

(a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; ...

—

IA-05(03)

In-person or Trusted External Party Registration

—

IA-05(04)

Automated Support for Password Strength Determination

—

IA-05(05)

Change Authenticators Prior to Delivery

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

—

IA-05(06)

Protection of Authenticators

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

—

IA-05(07)

No Embedded Unencrypted Static Authenticators

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

—

IA-05(08)

Multiple System Accounts 1 param

Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.08_odp	security controls	security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems...

—

IA-05(09)

Federated Credential Management 1 param

Use the following external organizations to federate credentials: {{ insert: param, ia-05.09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.09_odp	external organizations	external organizations to be used for federating credentials are defined;

—

IA-05(10)

Dynamic Credential Binding 1 param

Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.10_odp	binding rules	rules for dynamically binding identities and authenticators are defined;

—

IA-05(11)

Hardware Token-based Authentication

—

IA-05(12)

Biometric Authentication Performance 1 param

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements {{ insert: param, ia-05.12_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.12_odp	biometric quality requirements	biometric quality requirements for biometric-based authentication are defined;

—

IA-05(13)

Expiration of Cached Authenticators 1 param

Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.13_odp	time period	the time period after which the use of cached authenticators is prohibited is defined;

—

IA-05(14)

Managing Content of PKI Trust Stores

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, a...

—

IA-05(15)

GSA-approved Products and Services

Use only General Services Administration-approved products and services for identity, credential, and access management.

—

IA-05(16)

In-person or Trusted External Party Authenticator Issuance 4 params

Require that the issuance of {{ insert: param, ia-05.16_odp.01 }} be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: para...

► View parameters

Param ID	Label	Constraint / Choices
ia-05.16_odp.01	types of and/or specific authenticators	types of and/or specific authenticators to be issued are defined;
ia-05.16_odp.02		Select one: in person; by a trusted external party
ia-05.16_odp.03	registration authority	the registration authority that issues authenticators is defined;
ia-05.16_odp.04	personnel or roles	the personnel or roles who authorize the issuance of authenticators are defined;

—

IA-05(17)

Presentation Attack Detection for Biometric Authenticators

Employ presentation attack detection mechanisms for biometric-based authentication.

—

IA-05(18)

Password Managers 2 params

(a) Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and (b) Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-05.18_odp.01	password managers	password managers employed for generating and managing passwords are defined;
ia-05.18_odp.02	controls	controls for protecting passwords are defined;

—

IA-06

Authentication Feedback

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

—

IA-07

Cryptographic Module Authentication

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for s...

—

IA-08

Identification and Authentication (Non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

—

IA-08(01)

Acceptance of PIV Credentials from Other Agencies

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

—

IA-08(02)

Acceptance of External Authenticators

(a) Accept only external authenticators that are NIST-compliant; and (b) Document and maintain a list of accepted external authenticators.

—

IA-08(03)

Use of FICAM-approved Products

—

IA-08(04)

Use of Defined Profiles 1 param

Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-08.04_odp	identity management profiles	identity management profiles are defined;

—

IA-08(05)

Acceptance of PIV-I Credentials 1 param

Accept and verify federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-08.05_odp	policy	a policy for using federated or PKI credentials is defined;

—

IA-08(06)

Disassociability 1 param

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: {{ insert: param, ia-08....

► View parameters

Param ID	Label	Constraint / Choices
ia-08.06_odp	measures	disassociability measures are defined;

—

IA-09

Service Identification and Authentication 1 param

Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications.

► View parameters

Param ID	Label	Constraint / Choices
ia-09_odp	system services and applications	system services and applications to be uniquely identified and authenticated are defined;

—

IA-09(01)

Information Exchange

—

IA-09(02)

Transmission of Decisions

—

IA-10

Adaptive Authentication 2 params

Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-10_odp.01	supplemental authentication techniques or mechanisms	supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumst...
ia-10_odp.02	circumstances or situations	circumstances or situations that require individuals accessing the system to employ supplemental authentication techn...

—

IA-11

Re-authentication 1 param

Require users to re-authenticate when {{ insert: param, ia-11_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-11_odp	circumstances or situations	circumstances or situations requiring re-authentication are defined;

—

IA-12

Identity Proofing

a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; b. Re...

—

IA-12(01)

Supervisor Authorization

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

—

IA-12(02)

Identity Evidence

Require evidence of individual identification be presented to the registration authority.

—

IA-12(03)

Identity Evidence Validation and Verification 1 param

Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-12.03_odp	methods of validation and verification	methods of validation and verification of identity evidence are defined;

—

IA-12(04)

In-person Validation and Verification

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

—

IA-12(05)

Address Confirmation 1 param

Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

► View parameters

Param ID	Label	Constraint / Choices
ia-12.05_odp		Select one: registration code; notice of proofing

—

IA-12(06)

Accept Externally-proofed Identities 1 param

Accept externally-proofed identities at {{ insert: param, ia-12.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ia-12.06_odp	identity assurance level	an identity assurance level for accepting externally proofed identities is defined;

—

└ ia-12a

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in...

—

└ ia-12b

Resolve user identities to a unique individual; and

—

└ ia-12c

Collect, validate, and verify identity evidence.

—

IA-13

Identity Providers and Authorization Servers 2 params

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisio...

► View parameters

Param ID	Label	Constraint / Choices
ia-13_odp.01	policy	identification and authentication policy is defined;
ia-13_odp.02	mechanisms	mechanisms supporting authentication and authorization decisions are defined;

—

IA-13(01)

Protection of Cryptographic Keys

Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.

—

IA-13(02)

Verification of Identity Assertions and Access Tokens

The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.

—

IA-13(03)

Token Management

In accordance with {{ insert: param, ia-13_odp.01 }}, assertions and access tokens are: (a) generated; (b) issued; (c) refreshed; (d) revoked; (e) time-restricted; and (f) audience-rest...

—

└ ia-13.3.(a)

generated;

—

└ ia-13.3.(b)

issued;

—

└ ia-13.3.(c)

refreshed;

—

└ ia-13.3.(d)

revoked;

—

└ ia-13.3.(e)

time-restricted; and

—

└ ia-13.3.(f)

audience-restricted.

—

└ ia-1a

Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:

—

└ ia-1a.1

{{ insert: param, ia-01_odp.03 }} identification and authentication policy that:

—

└ ia-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ia-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ia-1a.2

Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication co...

—

└ ia-1b

Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication...

—

└ ia-1c

Review and update the current identification and authentication:

—

└ ia-1c.1

Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and

—

└ ia-1c.2

Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}.

—

└ ia-2.6.(a)

One of the factors is provided by a device separate from the system gaining access; and

—

└ ia-2.6.(b)

The device meets {{ insert: param, ia-02.06_odp.03 }}.

—

└ ia-3.3.(a)

Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in a...

—

└ ia-3.3.(b)

Audit lease information when assigned to a device.

—

└ ia-4a

Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;

—

└ ia-4b

Selecting an identifier that identifies an individual, group, role, service, or device;

—

└ ia-4c

Assigning the identifier to the intended individual, group, role, service, or device; and

—

└ ia-4d

Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.

—

└ ia-5.18.(a)

Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and

—

└ ia-5.18.(b)

Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}.

—

└ ia-5.1.(a)

Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organization...

—

└ ia-5.1.(b)

Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in...

—

└ ia-5.1.(c)

Transmit passwords only over cryptographically-protected channels;

—

└ ia-5.1.(d)

Store passwords using an approved salted key derivation function, preferably using a keyed hash;

—

└ ia-5.1.(e)

Require immediate selection of a new password upon account recovery;

—

└ ia-5.1.(f)

Allow user selection of long passwords and passphrases, including spaces and all printable characters;

—

└ ia-5.1.(g)

Employ automated tools to assist the user in selecting strong password authenticators; and

—

└ ia-5.1.(h)

Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}.

—

└ ia-5.2.(a)

For public key-based authentication:

—

└ ia-5.2.(a).(1)

Enforce authorized access to the corresponding private key; and

—

└ ia-5.2.(a).(2)

Map the authenticated identity to the account of the individual or group; and

—

└ ia-5.2.(b)

When public key infrastructure (PKI) is used:

—

└ ia-5.2.(b).(1)

Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status informa...

—

└ ia-5.2.(b).(2)

Implement a local cache of revocation data to support path discovery and validation.

—

└ ia-5a

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authent...

—

└ ia-5b

Establishing initial authenticator content for any authenticators issued by the organization;

—

└ ia-5c

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

—

└ ia-5d

Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, ...

—

└ ia-5e

Changing default authenticators prior to first use;

—

└ ia-5f

Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;

—

└ ia-5g

Protecting authenticator content from unauthorized disclosure and modification;

—

└ ia-5h

Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

—

└ ia-5i

Changing authenticators for group or role accounts when membership to those accounts changes.

—

└ ia-8.2.(a)

Accept only external authenticators that are NIST-compliant; and

—

└ ia-8.2.(b)

Document and maintain a list of accepted external authenticators.

—