Overview:
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Action Items:
3.5.2[a]
Determine if: the identity of each user is authenticated or verified as a prerequisite to system access.
3.5.2[b]
Determine if: the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
3.5.2[c]
Determine if: the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Identification and authentication policy; system security plan; procedures addressing authenticator management; procedures addressing user identification and authentication; system design documentation; list of system authenticator types; system configuration settings and associated documentation; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records].
2
Interview: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Mechanisms supporting or implementing authenticator management capability].
Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) system security plan
3) procedures addressing authenticator management
4) procedures addressing user identification and authentication
5) system design documentation
6) list of system authenticator types
7) system configuration settings and associated documentation
8) change control records associated with managing system authenticators
9) system audit logs and records
10) other relevant documents or records
Additional Guidance:
Individual authenticators include, for example, passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include, for example, the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.
Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. NIST Special Publication 800-63 provides guidance on digital identities.
Article ID: 150
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-authentication-management-3-5-2-150.html