800-53|IA-8(2)

Title

ACCEPTANCE OF THIRD-PARTY CREDENTIALS

Description

The information system accepts only FICAM-approved third-party credentials.

Supplemental

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-2

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.1.1 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
2.3.11.2 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
2.3.11.2 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
3.153 - PKU2U authentication using online identities must be prevented.	Windows	DISA Windows 7 STIG v1r32
3.153 - PKU2U authentication using online identities will be prevented.	Windows	DISA Windows Server 2008 R2 DC STIG v1r34
3.153 - PKU2U authentication using online identities will be prevented.	Windows	DISA Windows Server 2008 R2 MS STIG v1r33
8.3.2 Ensure use of the VM console is limited	VMware	CIS VMware ESXi 6.7 v1.1.0 Level 1
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 L1 Bitlocker v2.3.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 L1 v2.3.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows 10 v21H2 v1.0.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows 10 v22H2 v1.0.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows 10 1909 v1.0.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows Server 2012 R2 MS v1.0.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows Server 2012 R2 DC v1.0.0
Allow Microsoft accounts to be optional	Windows	MSCT Windows 11 v23H2 v1.0.0

Detections

Analytics