1. Home
  2. Industrial Control Systems
  3. IA-8

IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

SUPPLEMENTAL GUIDANCE

Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

ICS SUPPLEMENTAL GUIDANCE

The ICS Supplemental Guidance for IA-2, Identification and Authentication (Organizational Users), is applicable for Non- Organizational Users..

CONTROL ENHANCEMENTS

IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES
  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

Supplemental Guidance:

This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

ICS Supplemental Guidance:

Example compensating controls include implementing support external to the ICS and multi-factor authentication.

RELATED CONTROLS: IA-8 (1)

IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS
  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The information system accepts only FICAM-approved third-party credentials.

Supplemental Guidance:

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

ICS Supplemental Guidance:

Example compensating controls include implementing support external to the ICS and multi-factor authentication.

RELATED CONTROLS: IA-8 (2)

IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS
  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.

Supplemental Guidance:

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

ICS Supplemental Guidance:

Example compensating controls include implementing support external to the ICS and multi-factor authentication.

RELATED CONTROLS: IA-8 (3)

IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES
  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The information system conforms to FICAM-issued profiles.

Supplemental Guidance:

This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

ICS Supplemental Guidance:

Example compensating controls include implementing support external to the ICS and multi-factor authentication.

RELATED CONTROLS: IA-8 (4)

IA-8 (5) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV-I CREDENTIALS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.

Supplemental Guidance:

This control enhancement: (i) applies to logical and physical access control systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that desire to interoperate with United States Government Personal Identity Verification (PIV) information systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special Publication 800-63, and multifactor authentication as defined in NIST Special Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified (directly or through another PKI bridge) with the FBCA with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy.

RELATED CONTROLS: IA-8 (5)

REFERENCES:

  • NIST Special Publication 800-82
  • FICAM Roadmap and Implementation Guidance
  • FIPS Publication 201
  • NIST Special Publication 800-116
  • NIST Special Publication 800-63
  • National Strategy for Trusted Identities in Cyberspace
  • OMB Memorandum 04-04
  • OMB Memorandum 10-06-2011
  • OMB Memorandum 11-11
  • http://idmanagement.gov