home || catalog: SP800-53rev3 / class: Technical / family: (IA) Identification and Authentication ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA

IA-01
IA-02
IA-03 *
IA-04
IA-05
IA-06
IA-07
IA-08

IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  IA-03: Device Identification and Authentication  

base control objective:
The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.

supplemental objective information:
The devices requiring unique identification and authentication may be defined by type, by specific device, or by a combination of type and device as deemed appropriate by the organization. The information system typically uses either shared known information (e.g., Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses) for identification and an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP), Radius server with EAP-Transport Layer Security (TLS) authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks. The required strength of the device authentication mechanism is determined by the security categorization of the information system.

enhancements to the base objective:

(1) The information system authenticates devices before establishing remote network connections using bi-directional authentication between devices that is cryptographically based.
Enhancement Supplemental Guidance: Remote network connection is any connection with a device communicating through an external network (e.g., the Internet).

(2) The information system authenticates devices before establishing network connections using bi-directional authentication between devices that is cryptographically based.

(3) The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to devices, and audits lease information when assigned to a device.
Enhancement Supplemental Guidance: With regard to dynamic address allocation for devices, DHCP-enabled clients typically obtain leases for IP addresses from DHCP servers.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for IA-03:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-121 June, 2012 current   Guide to Bluetooth Security
NIST SP800-124 July, 2008 current   Guidelines on Cell Phone and PDA Security
NIST SP800-48 July, 2008 current   Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST SP800-52 June, 2005 current   Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST SP800-58 January, 2005 current   Security Considerations for Voice Over IP Systems
NIST SP800-72 November, 2004 current   Guidelines on PDA Forensics
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines
NIST SP800-97 SP800-97 DRAFT   Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

Search SP800-53rev3 catalog: