PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
IA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
IA-2: Identification and Authentication (organizational Users)
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-3: Device Identification and Authentication
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Assignment (one or more): local, remote, network] connection.
IA-4: Identifier Management
Manage system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, group, role, service, or device; Assigning the identifier to the intended individual, group, role, service, or device; and Preventing reuse of identifiers for [Assignment: organization-defined time…
IA-5: Authenticator Management
Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial…
IA-7: Cryptographic Module Authentication
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
IA-8: Identification and Authentication (non-organizational Users)
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
IA-9: Service Identification and Authentication
Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.
IA-10: Adaptive Authentication
Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
IA-11: Re-authentication
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
IA-12: Identity Proofing
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user identities to a unique individual; and Collect, validate, and verify identity evidence.
NIST Special Publication 800-171 Revision 2
3.5.1: Identify system users, processes acting on behalf of users, and devices
Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for…
3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation…
3.5.5: Prevent reuse of identifiers for a defined period
Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
3.5.6: Disable identifiers after a defined period of inactivity
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.
3.5.7: Enforce a minimum password complexity and change of characters when new passwords are created
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate…
3.5.8: Prohibit password reuse for a specified number of generations
Password lifetime restrictions do not apply to temporary passwords.
3.5.9: Allow temporary password use for system logons with an immediate change to a permanent password
Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.
3.5.10: Store and transmit only cryptographically-protected passwords
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].
3.5.11: Obscure feedback of authentication information
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for…
Cloud Controls Matrix v3.0.1
IAM-01: Audit Tools Access
Access to, and use of, audit tools that interact with the organization’s information systems shall be appropriately segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
IAM-02: Credential Lifecycle / Provision Management
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…
IAM-04: Policies and Procedures
Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity.
IAM-07: Third Party Access
The identification, assessment, and prioritization of risks posed by business processes requiring third-party access to the organization’s information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning…
IAM-09: User Access Authorization
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…
IAM-10: User Access Reviews
User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies…
IAM-11: User Access Revocation
Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user’s change in status (e.g., termination of employment or other business relationship, job change, or transfer). Upon request, provider shall…
IAM-12: User ID Credentials
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) Account credential lifecycle management from instantiation through revocation Account credential…
Critical Security Controls Version 8
4: Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
5: Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
13: Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
NIST Special Publication 800-53 Revision 4
AC-1: Access Control Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…
AC-2: Account Management
The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; Assigns account managers for information system accounts; Establishes conditions for group and role membership; Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other…
IA-1: Identification And Authentication Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and Reviews and updates the current:…
IA-2: Identification And Authentication (Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-3: Device Identification And Authentication
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
IA-4: Identifier Management
The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; Selecting an identifier that identifies an individual, group, role, or device; Assigning the identifier to the intended individual, group, role, or device; Preventing reuse of identifiers for [Assignment: organization-defined time period];…
IA-5: Authenticator Management
The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; Establishing initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for…
IA-6: Authenticator Feedback
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
IA-7: Cryptographic Module Authentication
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-8: Identification And Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
IA-9: Service Identification And Authentication
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].
IA-10: Adaptive Identification And Authentication
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
IA-11: Re-Authentication
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Critical Security Controls Version 7.1
1: Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
16: Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.