Skip to main content

πŸ’Ό IA-5 Authenticator Management (L)(M)(H)

  • Contextual name: πŸ’Ό IA-5 Authenticator Management (L)(M)(H)
  • ID: /frameworks/fedramp-moderate-security-controls/ia/05
  • Located in: πŸ’Ό Identification and Authentication

Description​

Manage system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

b. Establishing initial authenticator content for any authenticators issued by the organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

e. Changing default authenticators prior to first use;

f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;

g. Protecting authenticator content from unauthorized disclosure and modification;

h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

i. Changing authenticators for group or role accounts when membership to those accounts changes.

IA-5 Additional FedRAMP Requirements and Guidance:

Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.

Similar​

  • Sections
    • /frameworks/fedramp-high-security-controls/ia/05
  • Internal
    • ID: dec-c-eecfdaef

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)4
πŸ’Ό IA-5(2) Public Key-based Authentication (M)(H)1
πŸ’Ό IA-5(6) Protection of Authenticators (M)(H)
πŸ’Ό IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H)

Policies (17)​

PolicyLogic CountFlags
πŸ“ AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟒1🟒 x6
πŸ“ AWS Account Root User credentials were used is the last 30 days πŸ”΄πŸŸ’1πŸ”΄ x1, 🟒 x6
πŸ“ AWS EC2 Instance IAM role is not attached 🟒1🟒 x6
πŸ“ AWS IAM Server Certificate is expired 🟒1🟒 x6
πŸ“ AWS IAM User Access Keys are not rotated every 90 days or less 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User has more than one active access key 🟒1🟒 x6
πŸ“ AWS IAM User with console and programmatic access set during the initial creation 🟒🟒 x3
πŸ“ AWS KMS Symmetric CMK Rotation is not enabled 🟒1🟒 x6
πŸ“ Azure App Service Authentication is disabled and Basic Authentication is enabled 🟒1🟒 x6
πŸ“ Azure App Service Basic Authentication is enabled 🟒🟒 x3
πŸ“ Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟒1🟒 x6
πŸ“ Azure Non-RBAC Key Vault stores Keys without expiration date 🟒1🟒 x6
πŸ“ Azure Non-RBAC Key Vault stores Secrets without expiration date 🟒1🟒 x6
πŸ“ Azure RBAC Key Vault stores Keys without expiration date 🟒1🟒 x6
πŸ“ Azure RBAC Key Vault stores Secrets without expiration date 🟒1🟒 x6
πŸ“ Consumer Google Accounts are used 🟒🟒 x3