Skip to main content

💼 IA-5 Authenticator Management (L)(M)(H)

  • Contextual name: 💼 IA-5 Authenticator Management (L)(M)(H)
  • ID: /frameworks/fedramp-high-security-controls/ia/05
  • Located in: 💼 Identification and Authentication

Description

Manage system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

b. Establishing initial authenticator content for any authenticators issued by the organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

e. Changing default authenticators prior to first use;

f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;

g. Protecting authenticator content from unauthorized disclosure and modification;

h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

i. Changing authenticators for group or role accounts when membership to those accounts changes.

IA-5 Additional FedRAMP Requirements and Guidance:

Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.

Similar

  • Sections
    • /frameworks/nist-sp-800-53-r5/ia/05
  • Internal
    • ID: dec-c-eecfdaef

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 NIST SP 800-53 Revision 5 → 💼 IA-5 Authenticator Management1816

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlags
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)132
💼 FedRAMP Moderate Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)432

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 IA-5(1) Password-based Authentication (L)(M)(H)18
💼 IA-5(2) Public Key-based Authentication (M)(H)11
💼 IA-5(6) Protection of Authenticators (M)(H)
💼 IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H)
💼 IA-5(8) Multiple System Accounts (H)
💼 IA-5(13) Expiration of Cached Authenticators (H)11

Policies (25)

PolicyLogic CountFlags
📝 AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟢1🟢 x6
📝 AWS Account Root User credentials were used is the last 30 days 🟢1🟢 x6
📝 AWS EC2 Instance IAM role is not attached 🟢1🟢 x6
📝 AWS IAM Server Certificate is expired 🟢1🟢 x6
📝 AWS IAM User Access Keys are not rotated every 90 days or less 🟢1🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢1🟠 x1, 🟢 x5
📝 AWS IAM User has more than one active access key 🟢1🟢 x6
📝 AWS IAM User with console and programmatic access set during the initial creation 🟢🟢 x3
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢1🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢1🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢🟢 x3
📝 Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟢1🟢 x6
📝 Azure Non-RBAC Key Vault stores Keys without expiration date 🟢1🟢 x6
📝 Azure Non-RBAC Key Vault stores Secrets without expiration date 🟢1🟢 x6
📝 Azure RBAC Key Vault stores Keys without expiration date 🟢1🟢 x6
📝 Azure RBAC Key Vault stores Secrets without expiration date 🟢1🟢 x6
📝 Consumer Google Accounts are used 🟢🟢 x3
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢1🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢1🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢1🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢1🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢1🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢1🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account 🟢1🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢1🟢 x6

Internal Rules

RulePoliciesFlags
✉️ dec-x-0be4dfe51
✉️ dec-x-0feec7902
✉️ dec-x-4d6fee7a1
✉️ dec-x-6c93750d1
✉️ dec-x-12a853391
✉️ dec-x-82ca41272
✉️ dec-x-4157c58a1
✉️ dec-x-307950161
✉️ dec-x-b10e98af1
✉️ dec-x-bcb0c78f1
✉️ dec-x-ca52f63a2
✉️ dec-x-e58fd8e01
✉️ dec-x-f7c2faac1
✉️ dec-z-79f4ab881