CMMC Practice IA.L1-3.5.2

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Bold Coast Security Guidance

This practice focuses first on ensuring the person using the username is the appropriate user by requiring a suitable password or other identifier. As noted in the level two practice IA.2.080, you should also require users to change their passwords after you issue them their credentials. You are also encouraged to use other forms of authentication, such as hardware keys, tokens, or certificates, as passwords are commonly captured and exploited for malicious purposes. The second part of this practice refers to authenticating infrastructure devices on your network. When a device attempts to make connections to another device on the network, it must have a means of identifications and authentication. In most Active Directory authenticated network this is performed behind the scenes as all workstations and servers must "join" the domain to share resources. The clarification offered by CMMC also serves as a reminder to change or disable all default system accounts. This is a standard operating procedure and nearly all equipment purchased to today will force a change of the default credentials when first set up. The organizational policy must state that all devices and users will be authenticated, and the organizational plan will state how the authentication is managed, such as through Active Directory. The plan will reflect the organizational authentication parameters, such as password standards which are defined in the level two practices for this domain. The measure to measure the effectiveness of your authentication parameters, you will monitor your logs for failed and successful authentication and device connection attempts which indicate account misuse or compromise.

Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. NIST SP 800-63-3 provides guidance on digital identities.