BRACKETOLOGY | FEDRAMP

IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

• FedRAMP Baseline Membership IA-2:

• LOW
• MODERATE
• HIGH

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

SUPPLEMENTAL GUIDANCE

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.

Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8."

CONTROL ENHANCEMENTS

IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS

• FedRAMP Baseline Membership IA-2 (1):

• LOW
• MODERATE
• HIGH

The information system implements multifactor authentication for network access to privileged accounts.

Supplemental Guidance: NONE

RELATED CONTROLS: IA-2 (1)

• AC-6 — ACCESS CONTROL | LEAST PRIVILEGE

IA-2 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS

• FedRAMP Baseline Membership IA-2 (2):

• MODERATE
• HIGH

The information system implements multifactor authentication for network access to non-privileged accounts.

Supplemental Guidance: NONE

IA-2 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS

• FedRAMP Baseline Membership IA-2 (3):

• MODERATE
• HIGH

The information system implements multifactor authentication for local access to privileged accounts.

Supplemental Guidance: NONE

RELATED CONTROLS: IA-2 (3)

• AC-6 — ACCESS CONTROL | LEAST PRIVILEGE

IA-2 (4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS

• FedRAMP Baseline Membership IA-2 (4):

• HIGH

The information system implements multifactor authentication for local access to non-privileged accounts.

Supplemental Guidance: NONE

IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | GROUP AUTHENTICATION

• FedRAMP Baseline Membership IA-2 (5):

• MODERATE
• HIGH

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

Supplemental Guidance:

Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators.

IA-2 (6) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE

The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental Guidance: NONE

RELATED CONTROLS: IA-2 (6)

• AC-6 — ACCESS CONTROL | LEAST PRIVILEGE

IA-2 (7) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental Guidance: NONE

IA-2 (8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

• FedRAMP Baseline Membership IA-2 (8):

• MODERATE
• HIGH

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Supplemental Guidance:

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

IA-2 (9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT

• FedRAMP Baseline Membership IA-2 (9):

• HIGH

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Supplemental Guidance:

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

IA-2 (10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | SINGLE SIGN-ON

The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services].

Supplemental Guidance:

Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources.

IA-2 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS - SEPARATE DEVICE

• FedRAMP Baseline Membership IA-2 (11):

• MODERATE
• HIGH

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental Guidance:

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

RELATED CONTROLS: IA-2 (11)

• AC-6 — ACCESS CONTROL | LEAST PRIVILEGE

IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS

• FedRAMP Baseline Membership IA-2 (12):

• LOW
• MODERATE
• HIGH

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

Supplemental Guidance:

This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

RELATED CONTROLS: IA-2 (12)

• AU-2 — AUDIT AND ACCOUNTABILITY | AUDIT EVENTS
• PE-3 — PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS CONTROL
• SA-4 — SYSTEM AND SERVICES ACQUISITION | ACQUISITION PROCESS

IA-2 (13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | OUT-OF-BAND AUTHENTICATION

The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].

Supplemental Guidance:

Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user�s cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions.

RELATED CONTROLS: IA-2 (13)

• IA-10 — IDENTIFICATION AND AUTHENTICATION | ADAPTIVE IDENTIFICATION AND AUTHENTICATION
• IA-11 — IDENTIFICATION AND AUTHENTICATION | RE-AUTHENTICATION
• SC-37 — SYSTEM AND COMMUNICATIONS PROTECTION | OUT-OF-BAND CHANNELS

REFERENCES:

• FICAM Roadmap and Implementation Guidance
• FIPS Publication 201
• HSPD-12
• NIST Special Publication 800-63
• NIST Special Publication 800-73
• NIST Special Publication 800-76
• NIST Special Publication 800-78
• OMB Memorandum 04-04
• OMB Memorandum 06-16
• OMB Memorandum 11-11
• http://idmanagement.gov