home || catalog: SP800-53rev3 / class: Technical / family: (IA) Identification and Authentication ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA

IA-01
IA-02
IA-03
IA-04
IA-05 *
IA-06
IA-07
IA-08

IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  IA-05: Authenticator Management  

base control objective:
The organization manages information system authenticators for users and devices by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators upon information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate);
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification; and
i. Requiring users to take, and having devices implement, specific measures to safeguard authenticators.

supplemental objective information:
User authenticators include, for example, tokens, PKI certificates, biometrics, passwords, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). Many information system components are shipped with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, present a significant security risk, and therefore, are changed upon installation. The requirement to protect user authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of users and by controls AC-3, AC-6, and SC-28 for authenticators stored within the information system (e.g., passwords stored in a hashed or encrypted format, files containing encrypted or hashed passwords accessible only with super user privileges). The information system supports user authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one time tokens, and number of allowed rejections during verification stage of biometric authentication. Measures to safeguard user authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. Device authenticators include, for example, certificates and passwords.

enhancements to the base objective:

(1) The information system, for PKI-based authentication:
(a) Validates certificates by constructing a certification path with status information to an accepted trust anchor;
(b) Enforces authorized access to the corresponding private key; and
(c) Maps the authenticated identity to the user account.
Enhancement Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or online certificate status protocol responses.

(2) The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).

(3) The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.

(4) The organization requires vendors and/or manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.
Enhancement Supplemental Guidance: This control enhancement extends the requirement for organizations to change default authenticators upon information system installation, by requiring vendors and/or manufacturers of information system components to provide unique authenticators or change default authenticators for those components prior to delivery to the organization. Unique authenticators are assigned by vendors and/or manufacturers to specific information system components (i.e., delivered information technology products) with distinct serial numbers. This requirement is included in acquisition documents prepared by the organization when procuring information systems and/or information system components.

(5) The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper case letters, lower case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created;
(c) Encrypts passwords in storage and in transmission;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; and
(e) Prohibits password reuse for [Assignment: organization-defined number] generations.
Enhancement Supplemental Guidance: Deployed/tactical information systems with limited data input capabilities implement the password requirements to the extent feasible.

(6) The organization protects authenticators commensurate with the classification or sensitivity of the information accessed.

(7) The organization ensures that passwords are not embedded in access scripts or stored on function keys.

(8) The organization takes [Assignment: organization-defined measures] to manage the risk of compromise due to individuals having accounts on multiples information systems.
Enhancement Supplemental Guidance: When an individual has accounts on multiple information systems, there is the risk that if one account is compromised and the individual is using the same user identifier and authenticator, other accounts will be compromised as well. Possible alternatives include, but are not limited to:
(i) having the same user identifier but different authenticators on all systems;
(ii) having different user identifiers and authenticators on each system;
(iii) employing some form of single sign-on mechanism; or
(iv) including some form of one-time passwords on all systems.

(9) The organization employs [Assignment: organization-defined one-time authentication mechanisms] for network access to privileged accounts.
Enhancement Supplemental Guidance: One-time authentication mechanisms include, for example, time synchronous authenticators, challenge-response authenticators, and PKI one time component.

(10) The organization employs [Assignment: organization-defined one-time authentication mechanisms] for network access to non-privileged accounts.
Enhancement Supplemental Guidance: One-time authentication mechanisms include, for example, time synchronous authenticators, challenge-response authenticators, and PKI one time component.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2)     HIGH: base (1) (2)  

related (regimented) controls:

IA-02   User Identification and Authentication (Organizational Users)

documents referenced in SP800-53rev3 for IA-05:

Document Date Status Title
FIPS 190 September, 1994 current   Guideline for the Use of Advanced Authentication Technology Alternatives, September 1994
FIPS 201-1 March, 2006 current   Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-25 October, 2000 current   Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
NIST SP800-32 February, 2001 current   Introduction to Public Key Technology and the Federal PKI Infrastructure
NIST SP800-63 April, 2006 current   Electronic Authentication Guideline
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-78 December, 2010 current   Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP800-87 January, 2006 current   Codes for Identification of Federal and Federally-Assisted Organizations
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines

Search SP800-53rev3 catalog: