NIST SP 800-53A
.pdfSpecial Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: IDENTIFICATION AND AUTHENTICATION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
IA-2 |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
|
IA-2.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system uniquely identifies and authenticates organizational |
|
|
users (or processes acting on behalf of organizational users). |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
|
identification and authentication; information system design documentation; information |
|
|
system configuration settings and associated documentation; information system audit |
|
|
records; list of information system accounts; other relevant documents or records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
|
for the information system]. |
|
|
|
|
|
|
|
IA-2(1) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
|
IA-2(1).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system uses multifactor authentication for network access to |
|
|
privileged accounts. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
|
identification and authentication; information system design documentation; information |
|
|
system configuration settings and associated documentation; list of privileged information |
|
|
system accounts; other relevant documents or records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
|
for the information system]. |
|
|
|
|
|
|
|
IA-2(2) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
|
IA-2(2).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system uses multifactor authentication for network access to |
|
|
non-privileged accounts. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
|
identification and authentication; information system design documentation; information |
|
|
system configuration settings and associated documentation; list of non-privileged |
|
|
information system accounts; other relevant documents or records]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
|
for the information system]. |
|
|
|
|
APPENDIX F-IA |
PAGE F-131 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-2(3) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(3).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system uses multifactor authentication for local access to |
|
privileged accounts. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; list of privileged information |
|
system accounts; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
|
|
IA-2(4) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(4).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system uses multifactor authentication for local access to |
|
non-privileged accounts. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; list of non-privileged |
|
information system accounts; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
|
|
IA-2(5) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(5).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization allows the use of group authenticators only when used in |
|
conjunction with an individual/unique authenticator; and |
|
(ii) the organization requires individuals to be authenticated with an individual |
|
authenticator prior to using a group authenticator. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; other relevant documents or |
|
records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
APPENDIX F-IA |
PAGE F-132 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-2(6) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(6).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system uses multifactor authentication for network access to |
|
privileged accounts where one of the factors is provided by a device separate from the |
|
information system being accessed. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; list of privileged information |
|
system accounts; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
|
|
IA-2(7) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(7).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system uses multifactor authentication for network access to |
|
non-privileged accounts where one of the factors is provided by a device separate from |
|
the information system being accessed. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; list of non-privileged |
|
information system accounts; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
|
|
IA-2(8) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(8).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization defines the replay-resistant authentication mechanisms to be used |
|
for network access to privileged accounts; and |
|
(ii) the information system uses the organization-defined replay-resistant authentication |
|
mechanisms for network access to privileged accounts. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; list of privileged information |
|
system accounts; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability |
|
for the information system]. |
|
|
APPENDIX F-IA |
PAGE F-133 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-2(9) |
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
IA-2(9).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the replay-resistant authentication mechanisms to be used for network access to non-privileged accounts; and
(ii)the information system uses the organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].
APPENDIX F-IA |
PAGE F-134 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: IDENTIFICATION AND AUTHENTICATION |
CLASS: TECHNICAL |
|
||||
|
|
|
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
|
|
|
|
|
IA-3 |
|
DEVICE IDENTIFICATION AND AUTHENTICATION |
|
|
|
|
|
|
|
|
|
|
|
IA-3.1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
|
Determine if: |
|
|
|
|
|
|
(i) |
the organization defines the specific and/or types of devices for which identification |
|
|
|
|
|
|
and authentication is required before establishing a connection to the information |
|
|
|
|
|
|
system; and |
|
|
|
|
|
(ii) |
the information system uniquely identifies and authenticates the organization- |
|
|
|
|
|
|
defined devices before establishing a connection to the information system. |
|
|
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
|
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device |
|
||
|
|
|
|
identification and authentication; information system design documentation; list of devices |
|
|
|
|
|
|
requiring unique identification and authentication; device connection reports; information |
|
|
|
|
|
|
system configuration settings and associated documentation; other relevant documents or |
|
|
|
|
|
|
records]. |
|
|
|
|
|
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication]. |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-3(1) |
|
DEVICE IDENTIFICATION AND AUTHENTICATION |
|
|
|
|
|
|
|
|
|
|
|
IA-3(1).1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
|
Determine if: |
|
|
|
|
|
|
(i) |
the information system authenticates devices before establishing remote network |
|
|
|
|
|
|
connections using bi-directional authentication between devices that is |
|
|
|
|
|
|
cryptographically based; and |
|
|
|
|
|
(ii) |
the information system authenticates devices before establishing wireless network |
|
|
|
|
|
|
connections using bi-directional authentication between devices that is |
|
|
|
|
|
|
cryptographically based. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].
APPENDIX F-IA |
PAGE F-135 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-3(2) |
DEVICE IDENTIFICATION AND AUTHENTICATION |
|
|
IA-3(2).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system authenticates devices before establishing network |
|
connections using bidirectional authentication between devices that is cryptographically |
|
based. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device |
|
identification and authentication; information system design documentation; device |
|
connection reports; information system configuration settings and associated |
|
documentation; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication]. |
|
|
|
|
IA-3(3) |
DEVICE IDENTIFICATION AND AUTHENTICATION |
|
|
IA-3(3).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization standardizes, with regard to dynamic address allocation, Dynamic |
|
Host Control Protocol (DHCP) lease information and the time assigned to DHCP- |
|
enabled devices; and |
|
(ii) the organization audits DHCP lease information (including IP addresses) when |
|
assigned to a DHCP-enabled devices. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device |
|
identification and authentication; information system design documentation; information |
|
system configuration settings and associated documentation; DHCP lease information; |
|
device connection reports; other relevant documents or records]. |
|
|
APPENDIX F-IA |
PAGE F-136 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: IDENTIFICATION AND AUTHENTICATION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
IA-4 |
IDENTIFIER MANAGEMENT |
|
|
|
|
IA-4.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if: |
|
|
(i) the organization defines the time period for preventing reuse of user or device |
|
|
identifiers; |
|
|
(ii) the organization defines the time period of inactivity after which a user identifier is |
|
|
to be disabled; and |
|
|
(iii) the organization manages information system identifiers for users and devices by: |
|
|
- receiving authorization from a designated organizational official to assign a user |
|
|
or device identifier; |
|
|
- selecting an identifier that uniquely identifies an individual or device; |
|
|
- assigning the user identifier to the intended party or the device identifier to the |
|
|
intended device; |
|
|
- preventing reuse of user or device identifiers for the organization-defined time |
|
|
period; and |
|
|
- disabling the user identifier after the organization-defined time period of |
|
|
inactivity. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
|
management; procedures addressing account management; security plan; information |
|
|
system design documentation; information system configuration settings and associated |
|
|
documentation; list of information system accounts; list of identifiers generated from |
|
|
physical access control devices; other relevant documents or records]. |
|
|
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities]. |
|
|
|
|
|
|
|
IA-4(1) |
IDENTIFIER MANAGEMENT |
|
|
|
|
IA-4(1).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if organization prohibits the use of information system account |
|
|
identifiers as public identifiers for user electronic mail accounts (i.e., user |
|
|
identifier portion of the electronic mail address). |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
|
management; procedures addressing account management; information system design |
|
|
documentation; information system configuration settings and associated documentation; |
|
|
other relevant documents or records]. |
|
|
|
|
APPENDIX F-IA |
PAGE F-137 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-4(2) |
IDENTIFIER MANAGEMENT |
|
|
IA-4(2).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization requires that registration to receive a user ID and password |
|
include authorization by a supervisor; and |
|
(ii) the organization requires that registration to receive a user ID and password be |
|
done in person before a designated registration authority. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
management; procedures addressing account management; user ID and password |
|
registration documentation; ID and password authorization records; registration authority |
|
records; other relevant documents or records]. |
|
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities]. |
|
|
|
|
IA-4(3) |
IDENTIFIER MANAGEMENT |
|
|
IA-4(3).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the organization requires multiple forms of certification of individual |
|
identification such as documentary evidence or a combination of documents and |
|
biometrics be presented to the registration authority. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
management; procedures addressing account management; identifier certification |
|
documentation; organizational personnel biometrics records; other relevant documents or |
|
records]. |
|
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities]. |
|
|
|
|
IA-4(4) |
IDENTIFIER MANAGEMENT |
|
|
IA-4(4).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if: |
|
(i) the organization defines the characteristic to be used to identify user status; and |
|
(ii) the organization manages user identifiers by uniquely identifying the user with the |
|
organization-defined characteristic identifying user status. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
management; procedures addressing account management; list of characteristics |
|
identifying user status; other relevant documents or records]. |
|
|
APPENDIX F-IA |
PAGE F-138 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
IA-4(5) |
IDENTIFIER MANAGEMENT |
|
|
|
|
IA-4(5).1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system dynamically manages: |
|
|
- |
identifiers; |
|
- |
attributes; and |
|
- |
associated access authorizations. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier |
|
|
|
management; information system design documentation; information system configuration |
|
|
settings and associated documentation; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms implementing identifier management functions]. |
|
|
|
|
APPENDIX F-IA |
PAGE F-139 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: IDENTIFICATION AND AUTHENTICATION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
IA-5 |
AUTHENTICATOR MANAGEMENT |
|
|
|
|
IA-5.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if: |
|
|
(i) the organization defines the time period (by authenticator type) |
for |
|
changing/refreshing authenticators; and |
|
|
(ii) the organization manages information system authenticators for users and devices |
|
|
by: |
|
|
- verifying, as part of the initial authenticator distribution, the identity of the |
|
|
individual and/or device receiving the authenticator; |
|
|
- establishing initial authenticator content for authenticators defined by the |
|
|
organization; |
|
|
- ensuring that authenticators have sufficient strength of mechanism for their |
|
|
intended use; |
|
|
- establishing and implementing administrative procedures for initial |
|
|
authenticator distribution; |
|
|
- establishing and implementing administrative procedures for lost/compromised |
|
|
or damaged authenticators; |
|
|
- establishing and implementing administrative procedures for revoking |
|
|
authenticators; |
|
|
- changing default content of authenticators upon information system installation; |
|
|
- establishing minimum and maximum lifetime restrictions and reuse conditions |
|
|
for authenticators (if deemed to be appropriate by the organization); |
|
|
- changing/refreshing authenticators in accordance with the organization-defined |
|
|
time period by authenticator type; |
|
|
- protecting authenticator content from unauthorized disclosure and modification; |
|
|
and |
|
|
- requiring users to take, and having devices implement, specific measures to |
|
|
safeguard authenticators. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator |
|
|
management; information system design documentation; information system configuration |
|
|
settings and associated documentation; list of information system accounts; other relevant |
|
|
documents or records]. |
|
|
Interview: [SELECT FROM: Organizational personnel with responsibilities for determining initial |
|
|
authenticator content]. |
|
|
Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions]. |
|
|
|
|
APPENDIX F-IA |
PAGE F-140 |