home || catalog: SP800-53rev3 / class: Technical / family: (IA) Identification and Authentication ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA

IA-01
IA-02 *
IA-03
IA-04
IA-05
IA-06
IA-07
IA-08

IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  IA-02: User Identification and Authentication (Organizational Users)  

base control objective:
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

supplemental objective information:
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in AC-14. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. Access to organizational information systems is defined as either local or network. Local access is any access to an organizational information system by a user (or process acting on behalf of a user) where such access is obtained by direct connection without the use of a network. Network access is any access to an organizational information system by a user (or process acting on behalf of a user) where such access is obtained through a network connection. Remote access is a type of network access which involves communication through an external network (e.g., the Internet). Internal networks include local area networks, wide area networks, and virtual private networks that are under the control of the organization. For a virtual private network (VPN), the VPN is considered an internal network if the organization establishes the VPN connection between organization-controlled endpoints in a manner that does not require the organization to depend on any external networks across which the VPN transits to protect the confidentiality and integrity of information transmitted. Identification and authentication requirements for information system access by other than organizational users are described in IA-8.
The identification and authentication requirements in this control are satisfied by complying with Homeland Security Presidential Directive 12. In addition to identifying and authenticating users at the information system level (i.e., at logon), identification and authentication mechanisms are employed at the application level, when necessary, to provide increased information security for the organization.

enhancements to the base objective:

(1) The information system uses multifactor authentication for network access to privileged accounts.

(2) The information system uses multifactor authentication for network access to non-privileged accounts.

(3) The information system uses multifactor authentication for local access to privileged accounts.

(4) The information system uses multifactor authentication for local access to non-privileged accounts.

(5) The information system uses passwords/personal identification numbers (PINs) for local and network access to non-privileged accounts.

(6) The information system uses passwords/personal identification numbers (PINs) for local access.

(7) The organization:
(a) Allows the use of group authenticators only when used in conjunction with an individual/unique authenticator; and
(b) Requires individuals to be authenticated with an individual authenticator prior to using a group authenticator.

(8) The organization employs multi-factor authentication for remote access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.

mapping to FIPS199 baseline:

  LOW: base (1)     MOD: base (1) (2) (3)     HIGH: base (1) (2) (3) (4)  

related (regimented) controls:

AC-14   Permitted Actions without Identification or Authentication
AC-17   Remote Access
IA-04   Identifier Management
IA-05   Authenticator Management

documents referenced in SP800-53rev3 for IA-02:

Document Date Status Title
FIPS 201-1 March, 2006 current   Personal Identity Verification (PIV) of Federal Employees and Contractors
OMB M-04-04 December, 2003 current   E-Authentication Guidance for Federal Agencies
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-46 June, 2009 current   Guide to Enterprise Telework and Remote Access Security
NIST SP800-63 April, 2006 current   Electronic Authentication Guideline
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-78 December, 2010 current   Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP800-87 January, 2006 current   Codes for Identification of Federal and Federally-Assisted Organizations
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines
NIST SP800-97 SP800-97 DRAFT   Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

Search SP800-53rev3 catalog: