IA-02-727 Identification and Authentication (Organizational Users)

Identification and Authentication (Organizational Users)

Control ID

IA-02-727

Control Name

Identification and Authentication (Organizational Users)

Control Category

Identification and Authentication

Functional Areas

Protect

Sub-Areas

Identification and Authentication

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 17, 2016

Agency Implementation

Each user of an Agency-owned information resource shall be assigned a unique access identifier (user name) and authenticator (password or hardware token). The authenticator shall be appropriate to the level of assurance required for access to the necessary information resources. NIST SP 800-63-2, Electronic Authentication Guideline, shall be used as the foundation for determining appropriate assurance levels when selecting authenticators.

Risk Statement

Failure to assign unique user identification and a relevant authentication mechanisms to confirm the claimed identity of an user may result in potential fraud and/or falsification of user identities.

Control Description

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Control Example

Users have individual identification and login credentials.

State Implementation

Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.

Testing Procedures

Obtain identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; information system design documentation; e-authentication risk assessment results; information system configuration settings and associated documentation; information system audit records; security plan; other relevant documents or records and ascertain if: (I)the information system uniquely identifies and authenticates users (or processes acting on behalf of users). (ii)the information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 compliant in accordance with the organizational selection of level 3, level 3 using a hardware authentication device, or level 4. (iii)the organization defines in the security plan, explicitly or by reference, the NIST Special Publication 800-63 authentication levels for the information system.