💼 IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)

• ID: /frameworks/fedramp-moderate-security-controls/ia/02

Description

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

IA-2 Additional FedRAMP Requirements and Guidance:

Guidance: "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

Requirement: For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

Requirement: Multi-factor authentication must be phishing-resistant.

Requirement: All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/ia/02
• Internal
  • ID: dec-c-eb896af4

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)	6	1	4		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H)			3		no data
💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H)			3		no data
💼 IA-2(5) Individual Authentication with Group Authentication (M)(H)					no data
💼 IA-2(6) Access to Accounts —separate Device (M)(H)			3		no data
💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H)			3		no data
💼 IA-2(12) Acceptance of PIV Credentials (L)(M)(H)					no data

Policies (1)

Policy	Logic Count	Flags	Compliance
🛡️ Consumer Google Accounts are used🟢⚪		🟢 x2, ⚪ x1	no data