ARTIFACTS
IA: IDENTIFICATION & AUTHENTICATION
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for (IA); and documents that are widely used in the assessment of controls and control enhancements in the (IA) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR IDENTIFICATION & AUTHENTICATION |
| IDENTIFICATION & AUTHENTICATION policy (IA) |
| Identification & Authentication policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Identification & Authentication (IA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES | IA-1 |
| Password policy | IA-5 (1) |
| Procedures addressing account management | IA-4 IA-4 (1) IA-4 (2) IA-4 (3) IA-4 (4) IA-4 (5) IA-4 (6) IA-4 (7) IA-5 (9) |
| Procedures addressing account management | IA-4 (1) |
| Procedures addressing adaptive/ supplemental Identification & Authentication techniques or mechanisms | IA-10 |
| Procedures addressing authenticator feedback | IA-6 |
| Procedures addressing authenticator management | IA-5 IA-5 (1) IA-5 (2) IA-5 (3) IA-5 (4) IA-5 (5) IA-5 (6) IA-5 (7) IA-5 (8) IA-5 (9) IA-5 (11) IA-5 (12) IA-5 (13) IA-5 (14) |
| Procedures addressing cryptographic module authentication | IA-7 |
| Procedures addressing device configuration management | IA-3 (4) |
| Procedures addressing device IDENTIFICATION & AUTHENTICATION | IA-3 IA-3 (1) IA-3 (3) IA-3 (4) |
| Procedures addressing IDENTIFICATION & AUTHENTICATION | IA-2 (10) |
| Procedures addressing identifier management | IA-4 IA-4 (1) IA-4 (2) IA-4 (3) IA-4 (4) IA-4 (5) IA-4 (6) IA-4 (7) IA-5 (10) IA-5 (15) |
| Procedures addressing service Identification & Authentication | IA-9 IA-9 (1) IA=9 (2) |
| Procedures addressing single sign-on capability for information system accounts and services | IA-2 (10) |
| Procedures addressing the integration of security requirements into the acquisition process | IA-5 (5) |
| Procedures addressing the integration of security requirements into the acquisition process | IA-8 (3) |
| Procedures addressing the integration of security requirements into the acquisition process | IA-8 (4) |
| Procedures addressing user and device re-authentication | IA-11 |
| Procedures addressing user Identification & Authentication | IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (4) IA-2 (5) IA-2 (6) IA-2 (7) IA-2 (8) IA-2 (9) IA-2 (11) IA-2 (12) IA-2 (13) IA-8 IA-8 (1) IA-8 (2) IA-8 (3) IA-8 (4) IA-8 (5) |
| System and services acquisition policy | IA-5 (5) IA-8 (3) IA-8 (4) |
Evidence, Records & Artifacts
Here you'll find a catalog of Identification & Authentication (IA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Acquisition contracts for information system procurements or services | IA-5 (5) |
| Acquisition contracts for information system procurements or services | IA-8 (3) IA-8 (4) |
| Acquisition documentation | IA-5 (5) IA-8 (3) IA-8 (4) |
| Application code reviews for detecting unencrypted static authenticators | IA-5 (7) |
| Authenticator registration documentation | IA-5 (3) |
| Automated mechanisms employing biometric-based authentication for the information system | IA-5 (12) |
| Automated mechanisms employing hardware token-based authentication for the information system | IA-5 (11) |
| Automated mechanisms providing dynamic binding of identifiers and authenticators | IA-5 (10) IA-5 (15) |
| Automated tools for evaluating password authenticators | IA-5 (4) |
| Change control records | IA-3 (4) |
| Change control records associated with managing information system authenticators | IA-5 |
| Configuration management records | IA-3 (4) |
| Device connection reports | IA-3 IA-3 (1) IA-3 (3) |
| Enterprise architecture documentation | IA-5 (14) |
| Enterprise security architecture documentation | IA-5 (14) |
| Evidence of FICAM-approved third-party credentials | IA-8 (2) |
| Evidence of lease information and lease duration assigned to devices | IA-3 (3) |
| Evidence of PIV credentials | IA-2 (12) IA-8 (1) |
| Evidence of PIV-I credentials | IA-8 (5) |
| Information security agreements | IA-5 (9) |
| Logical access scripts | IA-5 (7) |
| Organizational methodology for managing content of PKI trust stores across installed all platforms | IA-5 (14) |
| Password configurations and associated documentation | IA-5 (1) |
| Password strength assessment results | IA-5 (4) |
| Piv credential authorizations | IA-2 (12) IA-8 (1) |
| Piv verification records | IA-2 (12) IA-8 (1) |
| Piv-I credential authorizations | IA-8 (5) |
| Piv-I verification records | IA-8 (5) |
| PKI certification validation records | IA-5 (2) |
| Registration process for receiving information system authenticators | IA-5 (3) |
| Risk assessment results | IA-5 (6) |
| Rules for IDENTIFICATION & AUTHENTICATION transmission decisions between organizational services | IA-9 (2) |
| Security assessments of authenticator protections | IA-5 (6) |
| Security categorization documentation for the information system | IA-5 (6) |
| Security safeguards used to identify and authenticate information system services | IA-9 |
| Supplemental IDENTIFICATION & AUTHENTICATION techniques or mechanisms | IA-10 |
| System-generated list of out-of-band authentication paths | IA-2 (13) |
| Third-party credential authorizations | IA-8 (2) IA-8 (3) |
| Third-party credential records | IA-8 (3) |
| Third-party credential validations | IA-8 (3) |
| Third-party credential verification records | IA-8 (2) |
| Transmission records | IA-9 (2) |
| Transmission verification records | IA-9 (2) |
Identification & Authentication (IA) Related Lists
These are the Identification & Authentication (IA) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
|
| List of authenticators requiring in-person registration | IA-5 (3) | |
| List of authenticators requiring trusted third party registration | IA-5 (3) | |
| List of biometric quality requirements | IA-5 (12) | |
| List of characteristics identifying individual status | IA-4 (4) | |
| List of circumstances or situations requiring re-authentication | IA-11 | |
| List of devices requiring unique Identification & Authentication | IA-3 | |
| List of devices requiring unique Identification & Authentication | IA-3 (1) | |
| List of FICAM-approved information system components procured and implemented by organization | IA-8 (3) | |
| List of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization | IA-8 (2) | |
| List of FICAM-issued profiles and associated, approved protocols | IA-8 (4) | |
| List of identifiers generated from physical access control devices | IA-4 | |
| List of individuals having accounts on multiple information systems | IA-5 (8) | |
| List of information system accounts | IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (4) IA-2 (5) IA-2 (6) IA-2 (7) IA-4 IA-8 |
|
| List of information system accounts and services requiring single sign-on capability | IA-2 (10) | |
| List of information system authenticator types | IA-5 | |
| List of non-privileged information system accounts | IA-2 (9) | |
| List of privileged and non-privileged information system accounts | IA-2 (11) | |
| List of privileged information system accounts | IA-2 (8) | |
| List of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple information systems | IA-5 (8) | |
| List of token quality requirements | IA-5 (11) | |
| PKI certification revocation lists | IA-5 (2) |