800-53|IA-2

Title

IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Description

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Supplemental

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

Reference Item Details

Related: AC-14,AC-17,AC-18,AC-2,AC-3,IA-4,IA-5,IA-8

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure that corporate login credentials are usedGCPCIS Google Cloud Platform v1.1.0 L1
1.1 Ensure that multi-factor authentication is enabled for all privileged usersmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.1.1 Configure AAA Authentication - TACACS - aaa authenticationCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - aaa authenticationCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - aaa groupCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - aaa groupCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+CiscoCIS Cisco NX-OS L2 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - feature tacacs+CiscoCIS Cisco NX-OS L1 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - tacacs-serverCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.1 Configure AAA Authentication - TACACS - tacacs-serverCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 DC L1 v2.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 MS L1 v2.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
1.1.1 Ensure multifactor authentication is enabled for all users in administrative rolesmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.1 Ensure that the --anonymous-auth argument is set to falseUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.1 Ensure that the --anonymous-auth argument is set to falseUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.1 Ensure that the --anonymous-auth argument is set to falseUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.1.2 Configure AAA Authentication - RADIUS - aaa authenticationCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.2 Configure AAA Authentication - RADIUS - aaa authenticationCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.2 Configure AAA Authentication - RADIUS - aaa groupCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.2 Configure AAA Authentication - RADIUS - aaa groupCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.2 Configure AAA Authentication - RADIUS - radius-server hostCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.2 Configure AAA Authentication - RADIUS - radius-server hostCiscoCIS Cisco NX-OS L2 v1.0.0
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows Server 2012 DC L1 v2.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Windows Server 2012 MS L1 v2.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
1.1.2 Ensure multifactor authentication is enabled for all users in all rolesmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
1.1.2 Ensure that the --anonymous-auth argument is set to falseUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.1.3 Configure AAA Authentication - Local SSH keysCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users.microsoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.16 Ensure the option to stay signed in is disabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.008 - Shared user accounts are permitted on the system.WindowsDISA Windows Vista STIG v6r41