3.5 IDENTIFICATION AND AUTHENTICATION

By wnoble2005@gmail.com (William Noble) 📅 2024-03-01

NIST 800-171 control 3.5, focuses on securing access to systems by requiring identification and authentication of users, processes, and devices. This means uniquely identifying everyone and everything interacting with the system, and then verifying their claimed identities before granting access. This helps ensure only authorized individuals and devices can access sensitive information and functionalities.

(Image credit: q4q.com)

NIST 800-171, a publication by the National Institute of Standards and Technology, focuses on protecting Controlled Unclassified Information (CUI) in nonfederal information systems. One critical aspect covered in NIST 800-171 is identification and authentication, which ensures only authorized users and devices access these systems.

There are three main requirements within NIST 800-171 regarding identification and authentication. First, organizations must assign unique identifiers to users, processes acting on behalf of users (like automated tasks), and devices. This helps track activity and prevent unauthorized access. Second, organizations must implement methods to verify the identities of users and devices before granting access to CUI systems. This verification process, often called authentication, typically involves credentials like usernames and passwords.

Finally, NIST 800-171 emphasizes the importance of multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to provide more than one piece of evidence to verify their identity. This could be a combination of something the user knows (password), something the user has (security token), or something the user is (fingerprint). By requiring MFA, organizations make it significantly harder for unauthorized individuals to gain access to CUI, even if they steal a password.

Go to 3.5 IDENTIFICATION AND AUTHENTICATION Page

Contents of 3.5 IDENTIFICATION AND AUTHENTICATION:

3.5.1 Identify system users, processes acti...devices

3.5.2 Authenticate (or verify) the identiti...systems

3.5.3 Use multifactor authentication for lo...ccounts

3.5.4 Employ replay-resistant authenticatio...ccounts

3.5.5 Prevent reuse of identifiers for a de....period

3.5.6 Disable identifiers after a defined p...ctivity

3.5.7 Enforce a minimum password complexity...created

3.5.8 Prohibit password reuse for a specifi...rations

3.5.9 Allow temporary password use for syst...assword

3.5.10 Store and transmit only cryptographi...sswords

3.5.11 Obscure feedback of authentication i...rmation

☰

Back

About "3.5 IDENTIFICATION AND AU...ATION" 🡃

Category:Cybersecurity Maturity Model
Family:Access Control (AC 3.1), Audit and Accountability (AC 3.3), Awareness Training (AC 3.2), Configuration Management (AC 3.4), Identification and Authentication (AC 3.5), Incident Response (AC 3.6), Maintenance (AC 3.7), Media Protection (AC 3.8), Personnel Security (AC 3.9), Physical Protection (AC 3.10), Risk Assessment (AC 3.11), Security Assessment (AC 3.12), System and Communications Protection (AC 3.13), System and Information Integrity (AC 3.14)
NIST:NIST SP 800-171r3

#CybersecurityMaturityModel

⬅ Back to NIST Special Publication NIST SP 800-171r3

NIST Special Publication NIST SP 800-171r3

3.5 IDENTIFICATION AND AUTHENTICATION

More on q4q.com

Q4Q Technical Solutions