CMMC Practice IA.L1-3.5.2

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Bold Coast Security Guidance

This practice focuses first on ensuring the person using the username is the appropriate user by requiring a suitable password or other identifier. As noted in the level two practice IA.2.080, you should also require users to change their passwords after you issue them their credentials. You are also encouraged to use other forms of authentication, such as hardware keys, tokens, or certificates, as passwords are commonly captured and exploited for malicious purposes. The second part of this practice refers to authenticating infrastructure devices on your network. When a device attempts to make connections to another device on the network, it must have a means of identifications and authentication. In most Active Directory authenticated network this is performed behind the scenes as all workstations and servers must "join" the domain to share resources. The clarification offered by CMMC also serves as a reminder to change or disable all default system accounts. This is a standard operating procedure and nearly all equipment purchased to today will force a change of the default credentials when first set up. The organizational policy must state that all devices and users will be authenticated, and the organizational plan will state how the authentication is managed, such as through Active Directory. The plan will reflect the organizational authentication parameters, such as password standards which are defined in the level two practices for this domain. The measure to measure the effectiveness of your authentication parameters, you will monitor your logs for failed and successful authentication and device connection attempts which indicate account misuse or compromise.

Discussion From Source

DRAFT NIST SP 800-171 R2 Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. NIST SP 800-63-3 provides guidance on digital identities.