PR.AA-03: Users, services, and hardware are authenticated


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Require multifactor authentication

Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar authenticators

Ex3: Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)

Ex4: Ensure that authorized personnel can access accounts essential for protecting safety under emergency conditions