800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logon	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - esc	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS AlmaLinux OS 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Rocky Linux 8 Workstation L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat EL8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat EL8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Rocky Linux 8 Server L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Amazon Linux 2 v3.0.0 L1
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS AlmaLinux OS 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS AlmaLinux OS 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS AlmaLinux OS 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Rocky Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat Enterprise Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Red Hat Enterprise Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Rocky Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installed	Unix	CIS Oracle Linux 9 v2.0.0 L1 Workstation
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authentication	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication.	Unix	DISA STIG AIX 7.x v2r9
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
APPL-14-001150 - The macOS system must disable password authentication for SSH.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
APPL-14-003020 - The macOS system must enforce smart card authentication.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
F5BI-AP-000193 - The BIG-IP APM must be configured to require multifactor authentication for remote access with non-privileged accounts.	F5	DISA F5 BIG-IP Access Policy Manager 11.x STIG V1R1
F5BI-AP-000195 - The BIG-IP APM must be configured to require multifactor authentication for remote access with privileged accounts.	F5	DISA F5 BIG-IP Access Policy Manager 11.x STIG V1R1
F5BI-LT-000079 - The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.	F5	DISA F5 BIG-IP Local Traffic Manager 11.x STIG v1r3
F5BI-LT-000079 - The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.	F5	DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1
OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041002 - The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM) - PAM.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.	Unix	DISA Oracle Linux 7 STIG v2r14

Detections

Analytics