Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.
Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.
The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.
Implement multi-factor authentication for access to privileged accounts.
Implement multi-factor authentication for access to non-privileged accounts.
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.
Implement multi-factor authentication for [Assignment (one or more): local, network, remote] access to [Assignment (one or more): privileged accounts, non-privileged accounts] such that: One of the factors is provided by a device separate from the system gaining access; and The device meets [Assignment: organization-defined strength of mechanism requirements].
Implement replay-resistant authentication mechanisms for access to [Assignment (one or more): privileged accounts, non-privileged accounts].
Provide a single sign-on capability for [Assignment: organization-defined system accounts and services].
Accept and electronically verify Personal Identity Verification-compliant credentials.
Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication].