IA-2: Identification and Authentication (organizational Users)

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:


Previous Version:

Control Statement

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Supplemental Guidance

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

Control Enhancements

IA-2(6): Access to Accounts – Separate Device


(Not part of any baseline)

Implement multi-factor authentication for [Assignment (one or more): local, network, remote] access to [Assignment (one or more): privileged accounts, non-privileged accounts] such that: One of the factors is provided by a device separate from the system gaining access; and The device meets [Assignment: organization-defined strength of mechanism requirements].

IA-2(10): Single Sign-on


(Not part of any baseline)

Provide a single sign-on capability for [Assignment: organization-defined system accounts and services].

IA-2(13): Out-of-band Authentication


(Not part of any baseline)

Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication].