IA-09-727 Service Identification and Authentication

Service Identification and Authentication

Control ID

IA-09-727

Control Name

Service Identification and Authentication

Control Category

Identification and Authentication

Functional Areas

Sub-Areas

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

February 13, 2018

Agency Implementation

Each service process operating on an Agency-owned information resource shall be assigned a unique access identifier (user name) and authenticator (password or hardware token) by which all processes belonging to that service will be ran. Any output from the service shall be cryptographically signed (TLS server certificate, code signing certificate, etc.) whenever possible. All public facing web services shall operate over HTTPS with valid certificates owned/managed by the Agency.

Risk Statement

Information systems are not able to determine in a dynamic manner, if external providers and associated services are authentic

Control Description

The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

Control Example

Information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.

State Implementation

No statewide control

Testing Procedures