1. Home
  2. FedRAMP
  3. IA-5

BRACKETOLOGY | FEDRAMP

IA-5: AUTHENTICATOR MANAGEMENT

  • FedRAMP Baseline Membership IA-5:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization manages information system authenticators by:

    • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
    • b. Establishing initial authenticator content for authenticators defined by the organization;
    • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
    • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
    • e. Changing default content of authenticators prior to information system installation;
    • f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
    • g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
    • h. Protecting authenticator content from unauthorized disclosure and modification;
    • i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
    • j. Changing authenticators for group/role accounts when membership to those accounts changes.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization manages information system authenticators by:

  • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • b. Establishing initial authenticator content for authenticators defined by the organization;
  • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • e. Changing default content of authenticators prior to information system installation;
  • f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • g. Changing/refreshing authenticators to include sixty (60) days for passwords;
  • h. Protecting authenticator content from unauthorized disclosure and modification;
  • i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • j. Changing authenticators for group/role accounts when membership to those accounts changes.

The organization manages information system authenticators by:

  • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • b. Establishing initial authenticator content for authenticators defined by the organization;
  • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • e. Changing default content of authenticators prior to information system installation;
  • f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • g. Changing/refreshing authenticators to include sixty (60) days for passwords;
  • h. Protecting authenticator content from unauthorized disclosure and modification;
  • i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • j. Changing authenticators for group/role accounts when membership to those accounts changes.

The organization manages information system authenticators by:

  • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  • b. Establishing initial authenticator content for authenticators defined by the organization;
  • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • e. Changing default content of authenticators prior to information system installation;
  • f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  • g. Changing/refreshing authenticators to include sixty (60) days for passwords;
  • h. Protecting authenticator content from unauthorized disclosure and modification;
  • i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  • j. Changing authenticators for group/role accounts when membership to those accounts changes.

FedRAMP HIGH REQUIREMENT:

Authenticators must be compliant with NIST SP 800-63-2 Electronic Authentication Guideline assurance level 4. Link < href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

SUPPLEMENTAL GUIDANCE

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

CONTROL ENHANCEMENTS

IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
  • FedRAMP Baseline Membership IA-5 (1):
  • LOW
  • MODERATE
  • HIGH

The information system, for password-based authentication:

    • (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
    • (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
    • ( c) Stores and transmits only cryptographically-protected passwords;
    • (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
    • (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
    • (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The information system, for password-based authentication:

  • (a) Enforces minimum password complexity of case sensitive, minimum of twelve (12) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters;
  • (b) Enforces at least the following number of changed characters when new passwords are created: at least one (1);
  • (c) Stores and transmits only cryptographically-protected passwords;
  • (d) Enforces password minimum and maximum lifetime restrictions of one (1) day minimum, sixty (60) day maximum;
  • (e) Prohibits password reuse for twenty-four (24) generations; and
  • (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

The information system, for password-based authentication:

  • (a) Enforces minimum password complexity of case sensitive, minimum of twelve (12) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters;
  • (b) Enforces at least the following number of changed characters when new passwords are created: at least one (1);
  • (c) Stores and transmits only cryptographically-protected passwords;
  • (d) Enforces password minimum and maximum lifetime restrictions of one (1) day minimum, sixty (60) day maximum;
  • (e) Prohibits password reuse for twenty-four (24) generations; and
  • (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

The information system, for password-based authentication:

  • (a) Enforces minimum password complexity of case sensitive, minimum of fourteen (14) characters, and at least one (1) each of upper-case letters, lower-case letters, numbers, and special characters;
  • (b) Enforces at least the following number of changed characters when new passwords are created: at least fifty percent (50%);
  • (c) Stores and transmits only cryptographically-protected passwords;
  • (d) Enforces password minimum and maximum lifetime restrictions of one (1) day minimum, sixty (60) day maximum;
  • (e) Prohibits password reuse for twenty-four (24) generations; and
  • (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Supplemental Guidance:

This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

RELATED CONTROLS: IA-5 (1)

IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION
  • FedRAMP Baseline Membership IA-5 (2):
  • MODERATE
  • HIGH

The information system, for PKI-based authentication:

    • (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
    • (b) Enforces authorized access to the corresponding private key;
    • ( c) Maps the authenticated identity to the account of the individual or group; and
    • (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Supplemental Guidance:

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

RELATED CONTROLS: IA-5 (2)

IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
  • FedRAMP Baseline Membership IA-5 (3):
  • MODERATE
  • HIGH

The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization requires that the registration process to receive All hardware/biometric (multifactor authenticators be conducted in person; by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles].

The organization requires that the registration process to receive All hardware/biometric (multifactor authenticators be conducted in person

; by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles].


Supplemental Guidance: NONE

IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION
  • FedRAMP Baseline Membership IA-5 (4):
  • MODERATE
  • HIGH

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific BRACKET requirements if this control is used for a MODERATE Impact system.

FedRAMP GUIDANCE:

If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy complexity as identified in IA-5 (1) Control Enhancement (H) Part A.

FedRAMP GUIDANCE:

If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.


Supplemental Guidance:

This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1).

RELATED CONTROLS: IA-5 (4)

IA-5 (5) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY

The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

Supplemental Guidance:

This control enhancement extends the requirement for organizations to change default authenticators upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to the developers of commercial off-the-shelve information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring information systems or system components.

IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS
  • FedRAMP Baseline Membership IA-5 (6):
  • MODERATE
  • HIGH

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Supplemental Guidance:

For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems.

IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
  • FedRAMP Baseline Membership IA-5 (7):
  • MODERATE
  • HIGH

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

Supplemental Guidance:

Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).

IA-5 (8) AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS
  • FedRAMP Baseline Membership IA-5 (8):
  • HIGH

The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization implements different authenticators on different systems to manage the risk of compromise due to individuals having accounts on multiple information systems.


Supplemental Guidance:

When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems.

IA-5 (9) AUTHENTICATOR MANAGEMENT | CROSS-ORGANIZATION CREDENTIAL MANAGEMENT

The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.

Supplemental Guidance:

Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.

IA-5 (10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL ASSOCIATION

The information system dynamically provisions identities.

Supplemental Guidance:

Authentication requires some form of binding between an identity and the authenticator used to confirm the identity. In conventional approaches, this binding is established by pre-provisioning both the identity and the authenticator to the information system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the information system. New authentication techniques allow the binding between the identity and the authenticator to be implemented outside an information system. For example, with smartcard credentials, the identity and the authenticator are bound together on the card. Using these credentials, information systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.

IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION
  • FedRAMP Baseline Membership IA-5 (11):
  • LOW
  • MODERATE
  • HIGH

The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

IA-5 (12) AUTHENTICATOR MANAGEMENT | BIOMETRIC-BASED AUTHENTICATION

The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].

Supplemental Guidance:

Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric.

IA-5 (13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS
  • FedRAMP Baseline Membership IA-5 (13):
  • HIGH

The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance: NONE

IA-5 (14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES

The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

Supplemental Guidance: NONE

IA-5 (15) AUTHENTICATOR MANAGEMENT | FICAM-APPROVED PRODUCTS AND SERVICES

The organization uses only FICAM-approved path discovery and validation products and services.

Supplemental Guidance:

Federal Identity, Credential, and Access Management (FICAM)-approved path discovery and validation products and services are those products and services that have been approved through the FICAM conformance program, where applicable.

REFERENCES:

  • FICAM Roadmap and Implementation Guidance
  • FIPS Publication 201
  • NIST Special Publication 800-63
  • NIST Special Publication 800-73
  • NIST Special Publication 800-76
  • NIST Special Publication 800-78
  • OMB Memorandum 04-04
  • OMB Memorandum 11-11
  • http://idmanagement.gov