Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ia-3

device identification and authentication

assessment objective:

Determine if:

ia-3[1]

the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:

ia-3[1][a]

a local connection;

ia-3[1][b]

a remote connection; and/or

ia-3[1][c]

a network connection; and

ia-3[2]

the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:

ia-3[2][a]

a local connection;

ia-3[2][b]

a remote connection; and/or

ia-3[2][c]

a network connection.

potential assessment methods and objects:

Examine: [select from: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; list of devices requiring unique identification and authentication; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers].

Test: [select from: Automated mechanisms supporting and/or implementing device identification and authentication capability].