Skip to main content

💼 IA-5 Authenticator Management

  • ID: /frameworks/nist-sp-800-53-r5/ia/05

Description

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/dms/10
    • /frameworks/aws-fsbp-v1.0.0/dms/11
    • /frameworks/aws-fsbp-v1.0.0/transfer-family/02
  • Internal
    • ID: dec-c-42a21b57

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connectionno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)61432no data
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)132no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated53no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 IA-5(1) Authenticator Management _ Password-based Authentication8no data
💼 IA-5(2) Authenticator Management _ Public Key-based Authenticationno data
💼 IA-5(3) Authenticator Management _ In-person or Trusted External Party Registrationno data
💼 IA-5(4) Authenticator Management _ Automated Support for Password Strength Determinationno data
💼 IA-5(5) Authenticator Management _ Change Authenticators Prior to Deliveryno data
💼 IA-5(6) Authenticator Management _ Protection of Authenticatorsno data
💼 IA-5(7) Authenticator Management _ No Embedded Unencrypted Static Authenticatorsno data
💼 IA-5(8) Authenticator Management _ Multiple System Accountsno data
💼 IA-5(9) Authenticator Management _ Federated Credential Managementno data
💼 IA-5(10) Authenticator Management _ Dynamic Credential Bindingno data
💼 IA-5(11) Authenticator Management _ Hardware Token-based Authenticationno data
💼 IA-5(12) Authenticator Management _ Biometric Authentication Performanceno data
💼 IA-5(13) Authenticator Management _ Expiration of Cached Authenticatorsno data
💼 IA-5(14) Authenticator Management _ Managing Content of PKI Trust Storesno data
💼 IA-5(15) Authenticator Management _ GSA-approved Products and Servicesno data
💼 IA-5(16) Authenticator Management _ In-person or Trusted External Party Authenticator Issuanceno data
💼 IA-5(17) Authenticator Management _ Presentation Attack Detection for Biometric Authenticatorsno data
💼 IA-5(18) Authenticator Management _ Password Managersno data

Policies (8)

PolicyLogic CountFlagsCompliance
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢1🟢 x6no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢1🟢 x6no data
🛡️ Google GCE Instance Block Project-Wide SSH Keys is not enabled🟢1🟢 x6no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢1🟢 x6no data
🛡️ Google GCE Instance is configured to use the Default Service Account🟢1🟢 x6no data
🛡️ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs🟢1🟢 x6no data