Skip to main content

πŸ’Ό IA-5 Authenticator Management

Description​

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.

Similar​

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/dms/10
    • /frameworks/aws-fsbp-v1.0.0/dms/11
    • /frameworks/aws-fsbp-v1.0.0/transfer-family/02
  • Internal
    • ID: dec-c-42a21b57

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8
πŸ’Ό IA-5(2) Authenticator Management _ Public Key-based Authentication
πŸ’Ό IA-5(3) Authenticator Management _ In-person or Trusted External Party Registration
πŸ’Ό IA-5(4) Authenticator Management _ Automated Support for Password Strength Determination
πŸ’Ό IA-5(5) Authenticator Management _ Change Authenticators Prior to Delivery
πŸ’Ό IA-5(6) Authenticator Management _ Protection of Authenticators
πŸ’Ό IA-5(7) Authenticator Management _ No Embedded Unencrypted Static Authenticators
πŸ’Ό IA-5(8) Authenticator Management _ Multiple System Accounts
πŸ’Ό IA-5(9) Authenticator Management _ Federated Credential Management
πŸ’Ό IA-5(10) Authenticator Management _ Dynamic Credential Binding
πŸ’Ό IA-5(11) Authenticator Management _ Hardware Token-based Authentication
πŸ’Ό IA-5(12) Authenticator Management _ Biometric Authentication Performance
πŸ’Ό IA-5(13) Authenticator Management _ Expiration of Cached Authenticators
πŸ’Ό IA-5(14) Authenticator Management _ Managing Content of PKI Trust Stores
πŸ’Ό IA-5(15) Authenticator Management _ GSA-approved Products and Services
πŸ’Ό IA-5(16) Authenticator Management _ In-person or Trusted External Party Authenticator Issuance
πŸ’Ό IA-5(17) Authenticator Management _ Presentation Attack Detection for Biometric Authenticators
πŸ’Ό IA-5(18) Authenticator Management _ Password Managers

Policies (8)​

PolicyLogic CountFlags
πŸ“ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟒1🟒 x6
πŸ“ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟒1🟒 x6
πŸ“ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟒1🟒 x6
πŸ“ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟒1🟒 x6
πŸ“ Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟒1🟒 x6
πŸ“ Google GCE Instance Confidential Compute is not enabled 🟒1🟒 x6
πŸ“ Google GCE Instance is configured to use the Default Service Account 🟒1🟒 x6
πŸ“ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟒1🟒 x6