IA-5: Authenticator Management
Control Family:
Threats Addressed:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- IA-5: Authenticator Management
Control Statement
The organization manages information system authenticators by:
- Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
- Establishing initial authenticator content for authenticators defined by the organization;
- Ensuring that authenticators have sufficient strength of mechanism for their intended use;
- Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
- Changing default content of authenticators prior to information system installation;
- Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
- Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
- Protecting authenticator content from unauthorized disclosure and modification;
- Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
- Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.
Control Enhancements
IA-5(1): Password-Based Authentication
Baseline(s):
- Low
- Moderate
- High
The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and…
IA-5(2): Pki-Based Authentication
Baseline(s):
- Moderate
- High
The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support…
IA-5(3): In-Person Or Trusted Third-Party Registration
Baseline(s):
- Moderate
- High
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
IA-5(4): Automated Support For Password Strength Determination
Baseline(s):
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
IA-5(5): Change Authenticators Prior To Delivery
Baseline(s):
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
IA-5(6): Protection Of Authenticators
Baseline(s):
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
IA-5(7): No Embedded Unencrypted Static Authenticators
Baseline(s):
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
IA-5(8): Multiple Information System Accounts
Baseline(s):
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
IA-5(9): Cross-Organization Credential Management
Baseline(s):
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
IA-5(10): Dynamic Credential Association
Baseline(s):
The information system dynamically provisions identities.
IA-5(11): Hardware Token-Based Authentication
Baseline(s):
- Low
- Moderate
- High
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].
IA-5(12): Biometric-Based Authentication
Baseline(s):
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].
IA-5(13): Expiration Of Cached Authenticators
Baseline(s):
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
IA-5(14): Managing Content Of Pki Trust Stores
Baseline(s):
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
IA-5(15): Ficam-Approved Products And Services
Baseline(s):
The organization uses only FICAM-approved path discovery and validation products and services.