PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-14: Permitted Actions Without Identification or Authentication
Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
IA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
IA-2: Identification and Authentication (organizational Users)
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-3: Device Identification and Authentication
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Assignment (one or more): local, remote, network] connection.
IA-5: Authenticator Management
Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial…
IA-8: Identification and Authentication (non-organizational Users)
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
IA-9: Service Identification and Authentication
Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.
IA-10: Adaptive Authentication
Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
IA-11: Re-authentication
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Cloud Controls Matrix v3.0.1
DCS-03: Equipment Identification
Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location.
IAM-07: Third Party Access
The identification, assessment, and prioritization of risks posed by business processes requiring third-party access to the organization’s information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning…
IAM-12: User ID Credentials
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) Account credential lifecycle management from instantiation through revocation Account credential…
MOS-16: Passwords
Password policies, applicable to mobile devices, shall be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and shall prohibit the changing of password/PIN lengths and authentication requirements.
Critical Security Controls Version 8
6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
12: Network Infrastructure Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
13: Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
NIST Special Publication 800-53 Revision 4
AC-7: Unsuccessful Logon Attempts
The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the…
AC-8: System Use Notification
The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be…
AC-9: Previous Logon (Access) Notification
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
AC-11: Session Lock
The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-12: Session Termination
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
AC-14: Permitted Actions Without Identification Or Authentication
The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
IA-1: Identification And Authentication Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and Reviews and updates the current:…
IA-2: Identification And Authentication (Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-3: Device Identification And Authentication
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
IA-4: Identifier Management
The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; Selecting an identifier that identifies an individual, group, role, or device; Assigning the identifier to the intended individual, group, role, or device; Preventing reuse of identifiers for [Assignment: organization-defined time period];…
IA-5: Authenticator Management
The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; Establishing initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for…
IA-8: Identification And Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
IA-9: Service Identification And Authentication
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].
IA-10: Adaptive Identification And Authentication
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
IA-11: Re-Authentication
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Critical Security Controls Version 7.1
3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.
16: Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.