800-53|IA-2

Title

IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Description

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Supplemental

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-14,AC-17,AC-18,AC-2,AC-3,IA-4,IA-5,IA-8

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.1 Enable 'aaa new-model'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.1 Ensure that the --anonymous-auth argument is set to false	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.1 Ensure that the --anonymous-auth argument is set to false	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.1 Ensure that the --anonymous-auth argument is set to false	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.2 Enable 'aaa authentication login'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.2 Ensure that the --anonymous-auth argument is set to false	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.3 Enable 'aaa authentication enable default'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.3 Ensure that the --insecure-allow-any-token argument is not set	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.3 Ensure that the --insecure-allow-any-token argument is not set	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.3 Ensure that the --insecure-allow-any-token argument is not set	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.3.8.1 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.10.2 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.10.4 Configure 'Network access: Named Pipes that can be accessed anonymously'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.4 Ensure 'Minimum password length' is set to '14 or more character(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.4 Ensure that the --insecure-allow-any-token argument is not set	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.4 Set 'login authentication for 'line con 0'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.5 Set 'login authentication for 'line tty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.6 Set 'login authentication for 'line vty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificate	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - key	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts	GCP	CIS Google Cloud Platform v3.0.0 L1
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.2.1 Set 'privilege 1' for local users	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.1 Set 'privilege 1' for local users	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.1 Set the 'hostname'	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.2.2 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.2.2 Set 'transport input ssh' for 'line vty' connections	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.2 Set 'transport input ssh' for 'line vty' connections	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.2 Set 'transport input ssh' for 'line vty' connections	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.3 Set 'seconds' for 'ssh timeout' for 60 seconds or less	Cisco	CIS Cisco IOS XR 7.x v1.0.0 L1
1.008 - Shared user accounts are permitted on the system.	Windows	DISA Windows Vista STIG v6r41
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password	amazon_aws	CIS Amazon Web Services Foundations L1 3.0.0
1.10 Ensure required packages for multifactor authentication are installed	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - esc	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3

Detections

Analytics