Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/IA/Low

Template:Doc:NIST SP 800-53r3 Appendix F/IA-1

Determine if: (i) the organization develops and formally documents identification and authentication policy; (ii) the organization identification and authentication policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented identification and authentication policy to elements within the organization having associated identification and authentication roles and responsibilities; (iv) the organization develops and formally documents identification and authentication procedures; (v) the organization identification and authentication procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls; and (vi) the organization disseminates formal documented identification and authentication procedures to elements within the organization having associated identification and authentication roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].

Determine if: (i) the organization defines the frequency of identification and authentication policy reviews/updates; (ii) the organization reviews/updates identification and authentication policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of identification and authentication procedure reviews/updates; (iv) the organization reviews/updates identification and authentication procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2

Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-2/1

Determine if the information system uses multifactor authentication for network access to privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-4

Determine if: (i) the organization defines the time period for preventing reuse of user or device identifiers; (ii) the organization defines the time period of inactivity after which a user identifier is to be disabled; and (iii) the organization manages information system identifiers for users and devices by: receiving authorization from a designated organizational official to assign a user or device identifier; selecting an identifier that uniquely identifies an individual or device; assigning the user identifier to the intended party or the device identifier to the intended device; preventing reuse of user or device identifiers for the organization-defined time period; and disabling the user identifier after the organization-defined time period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5

Determine if: (i) the organization defines the time period (by authenticator type) for changing/refreshing authenticators; and (ii) the organization manages information system authenticators for users and devices by: verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; establishing initial authenticator content for authenticators defined by the organization; ensuring that authenticators have sufficient strength of mechanism for their intended use; establishing and implementing administrative procedures for initial authenticator distribution; establishing and implementing administrative procedures for lost/compromised or damaged authenticators; establishing and implementing administrative procedures for revoking authenticators; changing default content of authenticators upon information system installation; establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if deemed to be appropriate by the organization); changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type; protecting authenticator content from unauthorized disclosure and modification; and requiring users to take, and having devices implement, specific measures to safeguard authenticators.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining initial authenticator content].

Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-5/1

Determine if: (i) the organization defines the minimum password complexity requirements to be enforced for case sensitivity, the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type; (ii) the organization defines the minimum number of characters that must be changed when new passwords are created; (iii) the organization defines the restrictions to be enforced for password minimum lifetime and password maximum lifetime parameters; (iv) the organization defines the number of generations for which password reuse is prohibited; and (v) the information system, for password-based authentication: enforces the minimum password complexity standards that meet the organization-defined requirements; enforces the organization-defined minimum number of characters that must be changed when new passwords are created; encrypts passwords in storage and in transmission; enforces the organization-defined restrictions for password minimum lifetime and password maximum lifetime parameters; and prohibits password reuse for the organization-defined number of generations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-6

Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing authenticator feedback].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-7

Determine if the information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing cryptographic module authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing cryptographic module authentication].

Template:Doc:NIST SP 800-53r3 Appendix F/IA-8

Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].