Device Class 1: Re-authentication

Control ID: IA-11 Re-authentication Family: Identification and Authentication Source: NIST 800-53r4
Control: The organization requires users and devices to re-authenticate to obtain access to protected resources when (i) authenticators (e.g. enrolment certificate, pseudonym certificate, application certificate) change; (ii) service provider changes during an activity engaged with that service provider; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; and (vi) periodically
Supplemental Guidance:
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically.

Related Controls: AC-11
Control Enhancements: N/A
References: N/A
Mechanisms:

  • Device shall provide the ability to force re-authentication when any of the conditions identified in "control" above holds.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
IA-11/1.1 Device requires user to re-authenticate when authenticator changes M
IA-11/1.2 Device requires user to re-authenticate when service provider changes M
IA-11/1.3 Device requires user to re-authenticate when security categories changes M Section 3.2
IA-11/1.4 Device requires user to re-authenticate when privileged functions execute M
IA-11/1.5 Device requires user to re-authenticate after a fixed period of time C1 Specify period
IA-11/1.6 Device requires user to re-authenticate periodically C1 Specify periodicity
IA-11/2.1 Device requires process to re-authenticate when authenticator changes M
IA-11/2.2 Device requires process to re-authenticate when service provider changes M
IA-11/2.3 Device requires process to re-authenticate when security categories changes M Section 3.2
IA-11/2.4 Device requires process to re-authenticate when privileged functions execute M
IA-11/2.5 Device requires process to re-authenticate after a fixed period of time C1 Specify period
IA-11/2.6 Device requires process to re-authenticate periodically C1 Specify periodicity