IA-03-727 Device Identification and Authentication

Device Identification and Authentication

Control ID

IA-03-727

Control Name

Device Identification and Authentication

Control Category

Identification and Authentication

Functional Areas

Protect

Sub-Areas

Identification and Authentication

NIST Baseline Level(s)

MOD, HIGH

NIST Priority

State Implementation Required

Agency Last Implemented Date

August 17, 2016

Agency Implementation

Each information resource connected to the enterprise network shall be uniqely identified either by NetBIOS name and corresponding enterprise computer account, MAC address, or PKI certificate, before the computer may access other enterprise information resources. Whenever possible, the use of 802.1X authentication shall validate the resource against either the enterprise directory or internal PKI infrastructure prior to granting access.

Risk Statement

Unidentified equipment is allowed to gain access to the network.

Control Description

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

Control Example

Users’ equipment is uniquely identified prior to login.

State Implementation

No statewide control

Testing Procedures

Obtain identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records and ascertain if: (I)the organization defines the devices for which identification and authentication is required before establishing connections to the information system. (ii)the information system uniquely identifies and authenticates the devices defined by the organization before establishing connections to the information system.