800-53|IA-8

Title

IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

Description

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Supplemental

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

Reference Item Details

Related: AC-14,AC-17,AC-18,AC-2,IA-2,IA-4,IA-5,MA-4,RA-3,SA-12,SC-8

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.1.1 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows Server 2012 MS L1 v2.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 MS L1 v2.6.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows Server 2012 DC L1 v2.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.4.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows Server 2012 R2 DC L1 v2.6.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
4.020 - The built-in guest account is not disabled.WindowsDISA Windows Vista STIG v6r41
AIX7-00-001009 - All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).UnixDISA STIG AIX 7.x v2r6
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v21H2 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 1909 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 1809 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows Server 2012 R2 DC v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v2004 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v22H2 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 1903 v1.19.9
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 1803 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v1507 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows Server 2012 R2 MS v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v20H2 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 10 v21H1 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 11 v1.0.0
Allow Microsoft accounts to be optionalWindowsMSCT Windows 11 v22H2 v1.0.0
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Configure the System to Uniquely Identify and Authenticate Non-Organizational UsersUnixNIST macOS Catalina v1.5.0 - All Profiles
DKER-EE-001100 - LDAP integration in Docker Enterprise must be configured.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DKER-EE-002180 - SAML integration must be enabled in Docker Enterprise.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
F5BI-AP-000087 - The BIG-IP APM module must be configured to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers.F5DISA F5 BIG-IP Access Policy Manager 11.x STIG v2r1
F5BI-AP-000211 - The BIG-IP APM module must conform to FICAM-issued profiles.F5DISA F5 BIG-IP Access Policy Manager 11.x STIG v2r1
F5BI-LT-000087 - The BIG-IP Core implementation must be configured to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users) when connecting to virtual servers.F5DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1