IA-3: Device Identification And Authentication
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
- IA-3
- High
- IA-3
Next Version:
- NIST Special Publication 800-53 Revision 5:
- IA-3: Device Identification and Authentication
Control Statement
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
Supplemental Guidance
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.
Control Enhancements
IA-3(1): Cryptographic Bidirectional Authentication
Baseline(s):
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.
IA-3(3): Dynamic Address Allocation
Baseline(s):
The organization: Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audits lease information when assigned to a device.
IA-3(4): Device Attestation
Baseline(s):
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process].