Identification and Authentication (IA)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

1. 
   Develops, documents, and disseminates to all personnel:
   
   1. 
      An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      
   2. 
      Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
      
2. 
   Reviews and updates the current:
   
   1. 
      Identification and authentication policy at least annually; and
      
   2. 
      Identification and authentication procedures at least annually.
      

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Identification is an act or process that presents an identifier to a system so the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others. Authentication is the act or process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an IS. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.

Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to provide increased information security.

Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to provide increased information security. In general, group accounts are prohibited. Users must be uniquely identified and authenticated, unless an exception has been documented in the SSP and approved by the AO, such as in the case of group accounts.

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Device identification and authentication provides for unique identification and authentication of devices on a LAN and/or WAN by using, for example, Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses or an organizational authentication solution such as Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol (EAP), Remote Authentication Dial In User Service (RADIUS) server with EAP-Transport Layer Security (TLS) authentication, or Kerberos.

This control can be tailored out for standalone IS. Implementing this control ensures that un-authenticated devices, e.g., mobile devices and personal laptop computers, are not able to make a connection to an information system containing PII.

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). This control supports insider threat mitigation.

 Common  System Specific  Hybrid (Common and System Specific)

The organization manages information system identifiers by:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

 Common  System Specific  Hybrid (Common and System Specific)

• 
  The password mechanism does not support strong password requirements.
  
• 
  The password is one factor of an authorized, multifactor authentication means.
  
• 
  The password is used by a system process (as opposed to an interactive user session).
  

The organization manages IS authenticators by:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Enforces minimum password complexity for IS of at least 14 characters in length for non-privileged accounts and 15 characters in length for privileged accounts; contains a string of characters that does not include the user’s account name or full name; includes one or more characters from at least 3 of the following 4 classes: Uppercase, lowercase, numerical & special characters;

Enforces at least a minimum of four changed characters;

Stores and transmits only cryptographically-protected passwords;

Enforces password minimum and maximum lifetime restrictions of at least 1 day lifetime minimum and 90 day lifetime maximum;

Prohibits password reuse for a minimum of 24 password generations;

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

These password requirements are for English display language. Other display languages should use equivalent password strength requirements. Passwords shall not be stored on an information system in clear text. An authorized, non-reversible, encryption algorithm (e.g., hash algorithm) shall be used to transform a password into a format that may be stored in a password file for use during subsequent password-validation. Passwords and password files, when transmitted using electronic means, shall be encrypted using an authorized algorithm.

An approved product vendor’s current password hashing algorithm is an authorized algorithm when used on a protected network. When possible, systems shall be configured to automatically notify the user of the requirement to change their password at least fourteen (l4) days before its expiration. The minimum age restriction does not apply to the initial change of a password, help desk password reset, or when compromise of a password is known or suspected.

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Organizations shall ensure that remote sessions for accessing information systems employ PKI certificates issued by a government-approved registration authority and are audited. If PKI is not feasible, security measures above and beyond standard bulk or session layer encryption shall be implemented (e.g., Secure Shell or VPN with blocking mode enabled) [AC-17(7)].

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Passwords should be sufficiently strong to resist “password cracking” and other types of attacks intended to discover users’ passwords. Information resources should use automated password filters to verify that passwords are created consistent with this document. Automated tools should be accessible to assist users with checking password strengths and generating passwords. A password cracking method shall be used only with written AO authorization providing explicit direction for use during vulnerability testing. Only authorized personnel will have access to and use password cracking tools. Reference IA-5(1) (a) and (b) for password requirements.

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)

Information systems shall not display any password on a terminal, monitor, or printer when a user enters a password to gain access. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)

 Common  System Specific  Hybrid (Common and System Specific)