IA-5: AUTHENTICATOR MANAGEMENT
TAILORED FOR INDUSTRIAL CONTROL SYSTEMS
ICS Control Baselines:
- Low
- Moderate
- High
The organization manages information system authenticators by:
- a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
- b. Establishing initial authenticator content for authenticators defined by the organization;
- c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
- d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
- e. Changing default content of authenticators prior to information system installation;
- f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
- g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
- h. Protecting authenticator content from unauthorized disclosure and modification;
- i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
- j. Changing authenticators for group/role accounts when membership to those accounts changes.
SUPPLEMENTAL GUIDANCE
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
ICS SUPPLEMENTAL GUIDANCE
Example compensating controls include physical access control, encapsulating the ICS to provide authentication external to the ICS.
RELATED CONTROLS: IA-5
CONTROL ENHANCEMENTS
IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
ICS Control Baselines:
- Low
- Moderate
- High
The information system, for password-based authentication:
- (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
- (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
- (c) Stores and transmits only cryptographically-protected passwords;
- (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
- (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
- (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance:
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.
No ICS Supplemental Guidance.
RELATED CONTROLS: IA-5 (1)
IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION
ICS Control Baselines:
- Moderate
- High
The information system, for PKI-based authentication:
- (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
- (b) Enforces authorized access to the corresponding private key;
- ( c) Maps the authenticated identity to the account of the individual or group; and
- (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
Supplemental Guidance:
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.
No ICS Supplemental Guidance.
RELATED CONTROLS: IA-5 (2)
IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
ICS Control Baselines:
- Moderate
- High
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: NONE
No ICS Supplemental Guidance.
IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance:
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1).
RELATED CONTROLS: IA-5 (4)
IA-5 (5) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
Supplemental Guidance:
This control enhancement extends the requirement for organizations to change default authenticators upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to the developers of commercial off-the-shelve information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring information systems or system components.
IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
Supplemental Guidance:
For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems.
IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Supplemental Guidance:
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).
IA-5 (8) AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
Supplemental Guidance:
When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems.
IA-5 (9) AUTHENTICATOR MANAGEMENT | CROSS-ORGANIZATION CREDENTIAL MANAGEMENT
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
Supplemental Guidance:
Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.
IA-5 (10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL ASSOCIATION
NOT SELECTED FOR THE NIST ISC CONTROL SET
The information system dynamically provisions identities.
Supplemental Guidance:
Authentication requires some form of binding between an identity and the authenticator used to confirm the identity. In conventional approaches, this binding is established by pre-provisioning both the identity and the authenticator to the information system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the information system. New authentication techniques allow the binding between the identity and the authenticator to be implemented outside an information system. For example, with smartcard credentials, the identity and the authenticator are bound together on the card. Using these credentials, information systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.
IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION
ICS Control Baselines:
- Low
- Moderate
- High
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].
Supplemental Guidance:
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.
No ICS Supplemental Guidance.
IA-5 (12) AUTHENTICATOR MANAGEMENT | BIOMETRIC-BASED AUTHENTICATION
NOT SELECTED FOR THE NIST ISC CONTROL SET
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].
Supplemental Guidance:
Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric.
IA-5 (13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS
NOT SELECTED FOR THE NIST ISC CONTROL SET
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
Supplemental Guidance: NONE
IA-5 (14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
Supplemental Guidance: NONE
IA-5 (15) AUTHENTICATOR MANAGEMENT | FICAM-APPROVED PRODUCTS AND SERVICES
NOT SELECTED FOR THE NIST ISC CONTROL SET
The organization uses only FICAM-approved path discovery and validation products and services.
Supplemental Guidance:
Federal Identity, Credential, and Access Management (FICAM)-approved path discovery and validation products and services are those products and services that have been approved through the FICAM conformance program, where applicable.
REFERENCES:
- NIST Special Publication 800-82
- FICAM Roadmap and Implementation Guidance
- FIPS Publication 201
- NIST Special Publication 800-63
- NIST Special Publication 800-73
- NIST Special Publication 800-76
- NIST Special Publication 800-78
- OMB Memorandum 04-04
- OMB Memorandum 11-11
- http://idmanagement.gov