Identification and Authentication (IA)
[Withdrawn: Incorporated into IA-12(2).]
Identification and Authentication (IA)
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
Identification and Authentication (IA)
Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy].
Identification and Authentication (IA)
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations].
Identification and Authentication (IA)
[Withdrawn: Incorporated into IA-12(4).]
Identification and Authentication (IA)
Generate pairwise pseudonymous identifiers.
Identification and Authentication (IA)
Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage].
Identification and Authentication (IA)
Level N/A
Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.
Identification and Authentication (IA)
For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].
Identification and Authentication (IA)
(a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; and (b) When public key infrastructure (PKI) is used: (1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) Implement a local cache of revocation data to support path discovery and validation.
