Device Class 3: Identification And Authentication (organizational Users)

Control ID: IA-2 Identification And Authentication (organizational Users) Family: Identification and Authentication Source: NIST 800-53r4
Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Supplemental Guidance:

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g.,contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.

Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.



Related Controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8
Control Enhancements:
(1) Identification And Authentication | Network Access To Privileged Accounts
The information system implements multifactor authentication for network access to privileged accounts.
Supplemental Guidance:
Related Controls: AC-6

(3) Identification And Authentication | Local Access To Privileged Accounts
The information system implements multifactor authentication for local access to privileged accounts.
Supplemental Guidance:
Related Controls: AC-6

(4) Identification And Authentication | Local Access To Non-privileged Accounts
The information system implements multifactor authentication for local access to non-privileged accounts.
Supplemental Guidance:
Related Controls: N/A

(9) Identification And Authentication | Network Access To Non-privileged Accounts - Replay Resistant
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
Related Controls: N/A

(12) Identification And Authentication | Acceptance Of Piv Credentials
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.
Related Controls: AU-2, PE-3, SA-4

(8) Identification And Authentication | Network Access To Privileged Accounts - Replay Resistant
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
Related Controls: N/A
References: N/A
Mechanisms:

  • Device shall require multi-factor authentication for the system management actions defined in Notes on Access Control:
    • Install software other than signed software whose signature chains to a verification key whose integrity is protected by hardware on the device.
    • Modify the access control policy specified in AC-3.
    • Modify the information flow control policy specified in AC-4.
    • Define what types of failed authentication attempts are logged for future action as specified in AC-7.
    • The list of auditable activities and the audit log specified in AU-2.
    • Deletion of audit log data as specified in AU-9, except in the case where the audit log has exceeded the allotted storage space.
    • Add or remove root certificates except when this is done via a signed instruction whose signature chains to a verification key whose integrity is protected by hardware on the device.
    • Device may require multi-factor authentication for other actions.
  • Passwords used in multi-factor authentication shall meet the requirements specified in IA-5 enhancement 1 , authenticator management | password-based authentication.
  • Device shall require multi-factor authentication for the system management actions defined in Notes on Access Control. See NETWORK ACCESS TO PRIVILEGED ACCOUNTS.
  • Device may require multi-factor authentication for other locally-accessed actions.
  • Network access to privileged accounts shall be over SSH, which provides replay resistance.NOTE: SSH shall use RSA keys of length 2048 bits or longer or ECC keys of length 256 bits or longer.
  • Device may accept PIV credentials as specified in FIPS 201 and supporting guidance documents .
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
IA-2(1)/1 Supports multi-factor authentication for network-accessed security management actions M 3.2.7 Describe authentication mechanisms
IA-2(1)/1.1 Supports installation of non-signed software M
IA-2(1)/1.2 Supports modification of the access control policy specified in AC-3. M AC-3
IA-2(1)/1.3 Supports modification of information flow control policy specified in AC-4. M AC-4
IA-2(1)/1.4 Supports definition of what types of failed authentication attempts are logged for future action as specified in AC-7. M AC-7
IA-2(1)/1.5 Supports the list of auditable activities and the audit log specified in AU-2. M AU-2
IA-2(1)/1.6 Allows deletion of audit log data as specified in AU-9, except in the case where the audit log has exceeded the allotted storage space. M AU-9
IA-2(1)/1.7 Supports add or remove root certificates M
IA-2(1)/1.8 Requires multi-factor authentication for other network-accessed actions. O Specify other actions
IA-2(3)/2 Supports multi-factor authentication for locally-accessed security management actions M 3.2.7 Describe authentication mechanisms
IA-2(3)/2.1 Supports installation of non-signed software M
IA-2(3)/2.2 Supports modification of the access control policy specified in AC-3. M AC-3
IA-2(3)/2.3 Supports modification of information flow control policy specified in AC-4. M AC-4
IA-2(3)/2.4 Supports definition of what types of failed authentication attempts are logged for future action as specified in AC-7. M AC-7
IA-2(3)/2.5 Supports the list of auditable activities and the audit log specified in AU-2. M AU-2
IA-2(3)/2.6 Allows deletion of audit log data as specified in AU-9, except in the case where the audit log has exceeded the allotted storage space. M AU-9
IA-2(3)/2.7 Supports add or remove root certificates M
IA-2(3)/2.8 Requires multi-factor authentication for other locally-accessed actions. O Specify other actions
IA-2(1)/3 Passwords used in multi-factor authentication meet the requirements specified in IA-5 enhancement 1 M IA-5
IA-2(8)/4 Support SSH access to privileged accounts, requiring RSA keys of length 2048 bits or longer or ECC keys of length 256 bits or longer. M
IA-2(12)/5 Accept PIV credentials O FIPS 201
IA-2(4)/6 Supports multi-factor authentication for local access to non-privileged accounts M 3.2.7 Describe authentication mechanisms
IA-2(9)/7 Provides replay-resistant authentication mechanisms for network access to non-privileged accounts. M IEEE 1609.2 Specify mechanisms