Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/IA

Template:Doc:NIST SP 800-53r3 Appendix F/IA-1

Determine if: (i) the organization develops and formally documents identification and authentication policy; (ii) the organization identification and authentication policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented identification and authentication policy to elements within the organization having associated identification and authentication roles and responsibilities; (iv) the organization develops and formally documents identification and authentication procedures; (v) the organization identification and authentication procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls; and (vi) the organization disseminates formal documented identification and authentication procedures to elements within the organization having associated identification and authentication roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].

Determine if: (i) the organization defines the frequency of identification and authentication policy reviews/updates; (ii) the organization reviews/updates identification and authentication policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of identification and authentication procedure reviews/updates; (iv) the organization reviews/updates identification and authentication procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/1

Determine if the information system uses multifactor authentication for network access to privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/2

Determine if the information system uses multifactor authentication for network access to non-privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/3

Determine if the information system uses multifactor authentication for local access to privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/4

Determine if the information system uses multifactor authentication for local access to non-privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/5

Determine if: (i) the organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator; and (ii) the organization requires individuals to be authenticated with an individual authenticator prior to using a group authenticator.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/6

Determine if the information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/7

Determine if the information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/8

Determine if: (i) the organization defines the replay-resistant authentication mechanisms to be used for network access to privileged accounts; and (ii) the information system uses the organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/9

Determine if: (i) the organization defines the replay-resistant authentication mechanisms to be used for network access to non-privileged accounts; and (ii) the information system uses the organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-3

Determine if: (i) the organization defines the specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system; and (ii) the information system uniquely identifies and authenticates the organization-defined devices before establishing a connection to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; list of devices requiring unique identification and authentication; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-3/1

Determine if: (i) the information system authenticates devices before establishing remote network connections using bi-directional authentication between devices that is cryptographically based; and (ii) the information system authenticates devices before establishing wireless network connections using bi-directional authentication between devices that is cryptographically based.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-3/2

Determine if the information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-3/3

Determine if: (i) the organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices; and (ii) the organization audits DHCP lease information (including IP addresses) when assigned to a DHCP-enabled devices.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; information system configuration settings and associated documentation; DHCP lease information; device connection reports; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4

Determine if: (i) the organization defines the time period for preventing reuse of user or device identifiers; (ii) the organization defines the time period of inactivity after which a user identifier is to be disabled; and (iii) the organization manages information system identifiers for users and devices by: receiving authorization from a designated organizational official to assign a user or device identifier; selecting an identifier that uniquely identifies an individual or device; assigning the user identifier to the intended party or the device identifier to the intended device; preventing reuse of user or device identifiers for the organization-defined time period; and disabling the user identifier after the organization-defined time period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4/1

Determine if organization prohibits the use of information system account identifiers as public identifiers for user electronic mail accounts (i.e., user identifier portion of the electronic mail address).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4/2

Determine if: (i) the organization requires that registration to receive a user ID and password include authorization by a supervisor; and (ii) the organization requires that registration to receive a user ID and password be done in person before a designated registration authority.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; user ID and password registration documentation; ID and password authorization records; registration authority records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4/3

Determine if the organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; identifier certification documentation; organizational personnel biometrics records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4/4

Determine if: (i) the organization defines the characteristic to be used to identify user status; and (ii) the organization manages user identifiers by uniquely identifying the user with the organization-defined characteristic identifying user status.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; list of characteristics identifying user status; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4/5

Determine if the information system dynamically manages: identifiers; attributes; and associated access authorizations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identifier management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5

Determine if: (i) the organization defines the time period (by authenticator type) for changing/refreshing authenticators; and (ii) the organization manages information system authenticators for users and devices by: verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; establishing initial authenticator content for authenticators defined by the organization; ensuring that authenticators have sufficient strength of mechanism for their intended use; establishing and implementing administrative procedures for initial authenticator distribution; establishing and implementing administrative procedures for lost/compromised or damaged authenticators; establishing and implementing administrative procedures for revoking authenticators; changing default content of authenticators upon information system installation; establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if deemed to be appropriate by the organization); changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type; protecting authenticator content from unauthorized disclosure and modification; and requiring users to take, and having devices implement, specific measures to safeguard authenticators.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining initial authenticator content].

Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/1

Determine if: (i) the organization defines the minimum password complexity requirements to be enforced for case sensitivity, the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type; (ii) the organization defines the minimum number of characters that must be changed when new passwords are created; (iii) the organization defines the restrictions to be enforced for password minimum lifetime and password maximum lifetime parameters; (iv) the organization defines the number of generations for which password reuse is prohibited; and (v) the information system, for password-based authentication: enforces the minimum password complexity standards that meet the organization-defined requirements; enforces the organization-defined minimum number of characters that must be changed when new passwords are created; encrypts passwords in storage and in transmission; enforces the organization-defined restrictions for password minimum lifetime and password maximum lifetime parameters; and prohibits password reuse for the organization-defined number of generations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/2

Determine if the information system, for PKI-based authentication: validates certificates by constructing a certification path with status information to an accepted trust anchor; enforces authorized access to the corresponding private key; and maps the authenticated identity to the user account.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; PKI certification revocation lists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for PKI-based authentication management].

Test: [SELECT FROM: Automated mechanisms implementing PKI-based authenticator management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/3

Determine if: (i) the organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official; and (ii) the organization requires that the registration process to receive organization-defined types of and/or specific authenticators be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; list of authenticators that require in-person registration; authenticator registration documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/4

Determine if the organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; automated tools for testing authenticators; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities].

Test: [SELECT FROM: Automated mechanisms for authenticator strength].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/5

Determine if the organization requires vendors and/or manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; system and services acquisition policy; procedures addressing authenticator management; procedures addressing the integration of security requirements into the acquisition process; acquisition documentation; acquisition contracts for information system procurements or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/6

Determine if the organization protects authenticators commensurate with the classification or sensitivity of the information accessed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information classification or sensitivity documentation; security categorization documentation for the information system; security assessments of authenticator protections; risk assessment results; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel implementing and/or maintaining authenticator protections].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/7

Determine if the organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; logical access scripts; application code reviews for detecting unencrypted static authenticators; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/8

Determine if: (i) the organization defines measures taken to manage the risk of compromise due to individuals having accounts on multiple information systems; and (ii) the organization takes organization-defined measures to manage the risk of compromise due to individuals having accounts on multiple information systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; list of individuals having accounts on multiple information systems; list of measures intended to manage risk of compromise due to individuals having accounts on multiple information systems ; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-6

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing authenticator feedback].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-7

Determine if the information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing cryptographic module authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing cryptographic module authentication].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-8

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].