💼 IA-5 Authenticator Management (L)(M)(H)
- ID:
/frameworks/fedramp-moderate-security-controls/ia/05
Description
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes.
IA-5 Additional FedRAMP Requirements and Guidance:
Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).
Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.
Similar
- Sections
/frameworks/fedramp-high-security-controls/ia/05
- Internal
- ID:
dec-c-eecfdaef
- ID:
Similar Sections (Take Policies From)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H) | 6 | 14 | 32 | no data |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 IA-5(1) Password-based Authentication (L)(M)(H) | 8 | no data | |||
| 💼 IA-5(2) Public Key-based Authentication (M)(H) | 1 | no data | |||
| 💼 IA-5(6) Protection of Authenticators (M)(H) | no data | ||||
| 💼 IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H) | no data |