UCF STIG Viewer Logo

IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)


Overview

Number Title Impact Priority Subject Area
IA-2 Identification And Authentication (Organizational Users) LOW P1 Identification And Authentication

Instructions
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Guidance
Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

Enhancements
IA-2 (1) Network Access To Privileged Accounts LOW

The information system implements multifactor authentication for network access to privileged accounts.

IA-2 (2) Network Access To Non-Privileged Accounts MODERATE

The information system implements multifactor authentication for network access to non-privileged accounts.

IA-2 (3) Local Access To Privileged Accounts MODERATE

The information system implements multifactor authentication for local access to privileged accounts.

IA-2 (4) Local Access To Non-Privileged Accounts HIGH

The information system implements multifactor authentication for local access to non-privileged accounts.

IA-2 (5) Group Authentication
Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators.

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

IA-2 (6) Network Access To Privileged Accounts - Separate Device

The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets Assignment: organization-defined strength of mechanism requirements.

IA-2 (7) Network Access To Non-Privileged Accounts - Separate Device

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets Assignment: organization-defined strength of mechanism requirements.

IA-2 (8) Network Access To Privileged Accounts - Replay Resistant MODERATE
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 (9) Network Access To Non-Privileged Accounts - Replay Resistant HIGH
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 (10) Single Sign-On
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources.

The information system provides a single sign-on capability for Assignment: organization-defined list of information system accounts and services.

IA-2 (11) Remote Access - Separate Device MODERATE
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets Assignment: organization-defined strength of mechanism requirements.

IA-2 (12) Acceptance Of Piv Credentials LOW
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

IA-2 (13) Out-Of-Band Authentication
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user�s cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions.

The information system implements Assignment: organization-defined out-of-band authentication under Assignment: organization-defined conditions.