IA.L1-3.5.2/b.1.vi Authentication
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Source: FAR Clause 52.204-21 b.1.vi, NIST SP 800-171 Rev 2 3.5.2
Discussion: Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities.
Assessment Objectives:
Determine if:
- [a] the identity of each user is authenticated or verified as a prerequisite to system access;
- [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
- [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; list of system authenticator types; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms supporting or implementing authenticator management capability].
SPRS Score: 5
POA&M Allowed: No