IA-3: Device Identification and Authentication
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
- IA-3
- High
- IA-3
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-3: Device Identification And Authentication
Control Statement
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Assignment (one or more): local, remote, network] connection.
Supplemental Guidance
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.
Control Enhancements
IA-3(1): Cryptographic Bidirectional Authentication
Baseline(s):
Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Assignment (one or more): local, remote, network] connection using bidirectional authentication that is cryptographically based.
IA-3(3): Dynamic Address Allocation
Baseline(s):
Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and Audit lease information when assigned to a device.
IA-3(4): Device Attestation
Baseline(s):
Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process].