πΌ IA-5 Authenticator Management (L)(M)(H)
- Contextual name: πΌ IA-5 Authenticator Management (L)(M)(H)
- ID:
/frameworks/fedramp-high-security-controls/ia/05 - Located in: πΌ Identification and Authentication
Descriptionβ
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes.
IA-5 Additional FedRAMP Requirements and Guidance:
Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).
Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.
Similarβ
- Sections
/frameworks/nist-sp-800-53-r5/ia/05
- Internal
- ID:
dec-c-eecfdaef
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ IA-5 Authenticator Management | 18 | 4 |
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP Low Security Controls β πΌ IA-5 Authenticator Management (L)(M)(H) | 1 | 20 | ||
| πΌ FedRAMP Moderate Security Controls β πΌ IA-5 Authenticator Management (L)(M)(H) | 4 | 20 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ IA-5(1) Password-based Authentication (L)(M)(H) | 1 | 4 | ||
| πΌ IA-5(2) Public Key-based Authentication (M)(H) | 1 | 1 | ||
| πΌ IA-5(6) Protection of Authenticators (M)(H) | ||||
| πΌ IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H) | ||||
| πΌ IA-5(8) Multiple System Accounts (H) | ||||
| πΌ IA-5(13) Expiration of Cached Authenticators (H) | 1 | 1 |
Policies (17)β
Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-0be4dfe5 | 1 | |
| βοΈ dec-x-0feec790 | 2 | |
| βοΈ dec-x-4d6fee7a | 1 | |
| βοΈ dec-x-6c93750d | 1 | |
| βοΈ dec-x-12a85339 | 1 | |
| βοΈ dec-x-82ca4127 | 2 | |
| βοΈ dec-x-4157c58a | 1 | |
| βοΈ dec-x-30795016 | 1 | |
| βοΈ dec-x-b10e98af | 1 | |
| βοΈ dec-x-bcb0c78f | 1 | |
| βοΈ dec-x-ca52f63a | 2 | |
| βοΈ dec-x-e58fd8e0 | 1 | |
| βοΈ dec-x-f7c2faac | 1 | |
| βοΈ dec-z-79f4ab88 | 1 |