| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IA-5 |
FedRAMP_High_R4_IA-5 |
FedRAMP High IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_High_R4 |
IA-5(2) |
FedRAMP_High_R4_IA-5(2) |
FedRAMP High IA-5 (2) |
Identification And Authentication |
Pki-Based Authentication |
Shared |
n/a |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
link |
7 |
| FedRAMP_Moderate_R4 |
IA-5 |
FedRAMP_Moderate_R4_IA-5 |
FedRAMP Moderate IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_Moderate_R4 |
IA-5(2) |
FedRAMP_Moderate_R4_IA-5(2) |
FedRAMP Moderate IA-5 (2) |
Identification And Authentication |
Pki-Based Authentication |
Shared |
n/a |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
link |
7 |
| hipaa |
1003.01d1System.3-01.d |
hipaa-1003.01d1System.3-01.d |
1003.01d1System.3-01.d |
10 Password Management |
1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User identities are verified prior to performing password resets. |
|
3 |
| hipaa |
1004.01d1System.8913-01.d |
hipaa-1004.01d1System.8913-01.d |
1004.01d1System.8913-01.d |
10 Password Management |
1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. |
|
8 |
| hipaa |
1014.01d1System.12-01.d |
hipaa-1014.01d1System.12-01.d |
1014.01d1System.12-01.d |
10 Password Management |
1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. |
|
11 |
| hipaa |
1015.01d1System.14-01.d |
hipaa-1015.01d1System.14-01.d |
1015.01d1System.14-01.d |
10 Password Management |
1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users acknowledge receipt of passwords. |
|
4 |
| hipaa |
1106.01b1System.1-01.b |
hipaa-1106.01b1System.1-01.b |
1106.01b1System.1-01.b |
11 Access Control |
1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User identities are verified prior to establishing accounts. |
|
10 |
| hipaa |
1107.01b1System.2-01.b |
hipaa-1107.01b1System.2-01.b |
1107.01b1System.2-01.b |
11 Access Control |
1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed and privileges are reduced to the lowest levels of access). |
|
4 |
| hipaa |
1109.01b1System.479-01.b |
hipaa-1109.01b1System.479-01.b |
1109.01b1System.479-01.b |
11 Access Control |
1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. |
|
24 |
| hipaa |
11111.01q2System.4-01.q |
hipaa-11111.01q2System.4-01.q |
11111.01q2System.4-01.q |
11 Access Control |
11111.01q2System.4-01.q 01.05 Operating System Access Control |
Shared |
n/a |
When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. |
|
4 |
| hipaa |
1112.01b2System.2-01.b |
hipaa-1112.01b2System.2-01.b |
1112.01b2System.2-01.b |
11 Access Control |
1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User identities are verified in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor or other individual defined in an applicable security plan) prior to receiving a hardware token. |
|
7 |
| hipaa |
1116.01j1Organizational.145-01.j |
hipaa-1116.01j1Organizational.145-01.j |
1116.01j1Organizational.145-01.j |
11 Access Control |
1116.01j1Organizational.145-01.j 01.04 Network Access Control |
Shared |
n/a |
Strong authentication methods are implemented for all external connections to the organization’s network. |
|
6 |
| hipaa |
1424.05j2Organizational.5-05.j |
hipaa-1424.05j2Organizational.5-05.j |
1424.05j2Organizational.5-05.j |
14 Third Party Assurance |
1424.05j2Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The organization has a formal mechanism to authenticate the customer's identity prior to granting access to covered information. |
|
8 |
| ISO27001-2013 |
A.9.2.1 |
ISO27001-2013_A.9.2.1 |
ISO 27001:2013 A.9.2.1 |
Access Control |
User registration and de-registration |
Shared |
n/a |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
link |
27 |
| ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
21 |
| ISO27001-2013 |
A.9.3.1 |
ISO27001-2013_A.9.3.1 |
ISO 27001:2013 A.9.3.1 |
Access Control |
Use of secret authentication information |
Shared |
n/a |
Users shall be required to follow the organization's practices in the use of secret authentication information. |
link |
15 |
| ISO27001-2013 |
A.9.4.3 |
ISO27001-2013_A.9.4.3 |
ISO 27001:2013 A.9.4.3 |
Access Control |
Password management system |
Shared |
n/a |
Password management systems shall be interactive and shall ensure quality password. |
link |
22 |
| NIST_SP_800-171_R2_3 |
.5.2 |
NIST_SP_800-171_R2_3.5.2 |
NIST SP 800-171 R2 3.5.2 |
Identification and Authentication |
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities. |
link |
24 |
| NIST_SP_800-53_R4 |
IA-5 |
NIST_SP_800-53_R4_IA-5 |
NIST SP 800-53 Rev. 4 IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| NIST_SP_800-53_R4 |
IA-5(2) |
NIST_SP_800-53_R4_IA-5(2) |
NIST SP 800-53 Rev. 4 IA-5 (2) |
Identification And Authentication |
Pki-Based Authentication |
Shared |
n/a |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
link |
7 |
| NIST_SP_800-53_R5 |
IA-5 |
NIST_SP_800-53_R5_IA-5 |
NIST SP 800-53 Rev. 5 IA-5 |
Identification and Authentication |
Authenticator Management |
Shared |
n/a |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
link |
18 |
| NIST_SP_800-53_R5 |
IA-5(2) |
NIST_SP_800-53_R5_IA-5(2) |
NIST SP 800-53 Rev. 5 IA-5 (2) |
Identification and Authentication |
Public Key-based Authentication |
Shared |
n/a |
(a) For public key-based authentication:
(1) Enforce authorized access to the corresponding private key; and
(2) Map the authenticated identity to the account of the individual or group; and
(b) When public key infrastructure (PKI) is used:
(1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and
(2) Implement a local cache of revocation data to support path discovery and validation. |
link |
7 |
| PCI_DSS_v4.0 |
8.3.11 |
PCI_DSS_v4.0_8.3.11 |
PCI DSS v4.0 8.3.11 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Strong authentication for users and administrators is established and managed |
Shared |
n/a |
Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used:
• Factors are assigned to an individual user and not shared among multiple users.
• Physical and/or logical controls ensure only the intended user can use that factor to gain access. |
link |
6 |
| SWIFT_CSCF_v2022 |
5.2 |
SWIFT_CSCF_v2022_5.2 |
SWIFT CSCF v2022 5.2 |
5. Manage Identities and Segregate Privileges |
Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). |
Shared |
n/a |
Connected and disconnected hardware authentication or personal tokens are managed appropriately during their assignment, distribution, revocation, use, and storage. |
link |
5 |