Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ia-3(1)

device identification and authentication  | cryptographic bidirectional authentication

assessment objective:

Determine if:

ia-3(1)[1]

the organization defines specific and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more of the following:

ia-3(1)[1][a]

a local connection;

ia-3(1)[1][b]

a remote connection; and/or

ia-3(1)[1][c]

a network connection;

ia-3(1)[2]

the information system uses cryptographically based bidirectional authentication to authenticate organization-defined devices before establishing one or more of the following:

ia-3(1)[2][a]

a local connection;

ia-3(1)[2][b]

a remote connection; and/or

ia-3(1)[2][c]

a network connection.

potential assessment methods and objects:

Examine: [select from: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; list of devices requiring unique identification and authentication; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers].

Test: [select from: Automated mechanisms supporting and/or implementing device authentication capability; cryptographically based bidirectional authentication mechanisms].