Detections
Analytics

800-53|IA-3

Title

DEVICE IDENTIFICATION AND AUTHENTICATION

Description

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

Supplemental

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

Reference Item Details

Related: AC-17,AC-18,AC-19,CA-3,IA-4,IA-5

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.11.3 Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.27 Disable AutomountingUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.1.28 Disable USB Storage - /bin/trueUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.1.28 Disable USB Storage - blacklistUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.4.2.2.27 Set 'Allow Secure Boot for integrity validation' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall v8.x L1 v4.2.0
2.3.1.1 Set 'ntp authenticate'CiscoCIS Cisco IOS 12 L2 v4.0.0
2.3.1.3 Set the 'ntp trusted-key'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.1 Authentication and Verification of OSPF Routing Protocols - authentication message-digestZTE_ROSNGTenable ZTE ROSNG
3.1 Authentication and Verification of OSPF Routing Protocols - message-digest-keyZTE_ROSNGTenable ZTE ROSNG
3.2 Authentication and Verification of ISIS Routing Protocols - authenticationZTE_ROSNGTenable ZTE ROSNG
3.2 Authentication and Verification of ISIS Routing Protocols - authentication-type hmac-md5ZTE_ROSNGTenable ZTE ROSNG
3.3.1.1 Set 'key chain'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.1.2 Set 'key'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.1.3 Set 'key-string'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.1.4 Set 'address-family ipv4 autonomous-system'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.1.5 Set 'af-interface default'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.1.6 Set 'authentication key-chain'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.2.1 Set 'authentication message-digest' for OSPF areaCiscoCIS Cisco IOS XE 17.x v2.1.0 L2
3.3.2.1 Set 'authentication message-digest' for OSPF areaCiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.2.1 Set 'authentication message-digest' for OSPF areaCiscoCIS Cisco IOS XE 16.x v2.1.0 L2
3.3.3.1 Set 'key chain'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.3.1 Set 'neighbor password'CiscoCIS Cisco IOS XE 17.x v2.1.0 L2
3.3.3.1 Set 'neighbor password'CiscoCIS Cisco IOS XE 16.x v2.1.0 L2
3.3.3.2 Set 'key'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.3.3 Set 'key-string'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.3.4.1 Set 'neighbor password'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.4.1 Ensure DCCP is disabled - blacklist dccpUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
3.4.1 Ensure DCCP is disabled - dccp /bin/trueUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.3.16 Enforce 'wantAssertionsSigned' to 'true' in SAMLUnixCIS IBM WebSphere Liberty v1.0.0 L1
4.3.17 Ensure 'authnRequestsSigned' is set to 'true' in SAMLUnixCIS IBM WebSphere Liberty v1.0.0 L1
5.123 - Restrict unauthenticated RPC clients.WindowsDISA Windows Vista STIG v6r41
5.124 - Client computers required to authenticate for RPC communication.WindowsDISA Windows Vista STIG v6r41
6.1 Enable bidirectional CHAP authentication for iSCSI trafficVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
AIX7-00-001025 - AIX must configure the ttys value for all interactive users.UnixDISA STIG AIX 7.x v3r1
AIX7-00-003090 - If automated file system mounting tool is not required on AIX, it must be disabled.UnixDISA STIG AIX 7.x v3r1
AMLS-L2-000140 - The Arista Multilayer Switch must re-authenticate all endpoint devices every 60 minutes or less - dot1x reauthenticationAristaDISA STIG Arista MLS DCS-7000 Series L2S v1r3
AMLS-L2-000140 - The Arista Multilayer Switch must re-authenticate all endpoint devices every 60 minutes or less - dot1x timeout reauth-period 3600AristaDISA STIG Arista MLS DCS-7000 Series L2S v1r3
AOSX-14-002069 - The macOS system must authenticate peripherals before establishing a connection.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-004020 - The macOS system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-000008 - The macOS system must be configured with Wi-Fi support software disabled.UnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-002069 - The macOS system must authenticate peripherals before establishing a connection.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-000008 - The macOS system must be configured with Wi-Fi support software disabled.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-000008 - The macOS system must be configured with Wi-Fi support software disabled.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-002069 - The macOS system must authenticate peripherals before establishing a connection.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-002069 - The macOS system must authenticate peripherals before establishing a connection.UnixDISA STIG Apple macOS 11 v1r5
APPL-12-002062 - The macOS system must be configured with Bluetooth turned off unless approved by the organization.UnixDISA STIG Apple macOS 12 v1r9
APPL-12-005051 - The macOS system must restrict the ability to utilize external writeable media devices.UnixDISA STIG Apple macOS 12 v1r9
APPL-13-002062 - The macOS system must be configured with Bluetooth turned off unless approved by the organization.UnixDISA STIG Apple macOS 13 v1r4
APPL-14-005090 - The macOS system must authorize USB devices before allowing connection.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2