IA-11: Re-authentication

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:


  • Low
    • IA-11
  • Moderate
    • IA-11
  • High
    • IA-11
  • Privacy


Previous Version:

Control Statement

Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

Supplemental Guidance

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.