IA-02-727 Identification and Authentication (Organizational Users)
Identification and Authentication (Organizational Users)
IA-02-727
Identification and Authentication (Organizational Users)
Identification and Authentication
Protect
Identification and Authentication
LOW, MOD, HIGH
P1
Yes
August 17, 2016
Each user of an Agency-owned information resource shall be assigned a unique access identifier (user name) and authenticator (password or hardware token). The authenticator shall be appropriate to the level of assurance required for access to the necessary information resources. NIST SP 800-63-2, Electronic Authentication Guideline, shall be used as the foundation for determining appropriate assurance levels when selecting authenticators.
Failure to assign unique user identification and a relevant authentication mechanisms to confirm the claimed identity of an user may result in potential fraud and/or falsification of user identities.
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Users have individual identification and login credentials.
Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.
Obtain identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; information system design documentation; e-authentication risk assessment results; information system configuration settings and associated documentation; information system audit records; security plan; other relevant documents or records and ascertain if:
(I)the information system uniquely identifies and authenticates users (or processes acting on behalf of users).
(ii)the information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 compliant in accordance with the organizational selection of level 3, level 3 using a hardware authentication device, or level 4.
(iii)the organization defines in the security plan, explicitly or by reference, the NIST Special Publication 800-63 authentication levels for the information system.