Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: IA-FAMILY: IDENTIFICATION AND AUTHENTICATION

IA-5 AUTHENTICATOR MANAGEMENT

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ia-5	authenticator management
	assessment objective: Determine if the organization manages information system authenticators by:
	ia-5(a)	verifying, as part of the initial authenticator distribution, the identity of:
		ia-5(a)[1]	the individual receiving the authenticator;
		ia-5(a)[2]	the group receiving the authenticator;
		ia-5(a)[3]	the role receiving the authenticator; and/or
		ia-5(a)[4]	the device receiving the authenticator;
	ia-5(b)	establishing initial authenticator content for authenticators defined by the organization;
	ia-5(c)	ensuring that authenticators have sufficient strength of mechanism for their intended use;
	ia-5(d)	ia-5(d)[1]	establishing and implementing administrative procedures for initial authenticator distribution;
		ia-5(d)[2]	establishing and implementing administrative procedures for lost/compromised or damaged authenticators;
		ia-5(d)[3]	establishing and implementing administrative procedures for revoking authenticators;
	ia-5(e)	changing default content of authenticators prior to information system installation;
	ia-5(f)	ia-5(f)[1]	establishing minimum lifetime restrictions for authenticators;
		ia-5(f)[2]	establishing maximum lifetime restrictions for authenticators;
		ia-5(f)[3]	establishing reuse conditions for authenticators;
	ia-5(g)	ia-5(g)[1]	defining a time period (by authenticator type) for changing/refreshing authenticators;
	ia-5(g)	ia-5(g)[2]	changing/refreshing authenticators with the organization-defined time period by authenticator type;
	ia-5(h)	protecting authenticator content from unauthorized:
		ia-5(h)[1]	disclosure;
		ia-5(h)[2]	modification;
	ia-5(i)	ia-5(i)[1]	requiring individuals to take specific security safeguards to protect authenticators;
	ia-5(i)	ia-5(i)[2]	having devices implement specific security safeguards to protect authenticators; and
	ia-5(j)	changing authenticators for group/role accounts when membership to those accounts changes.
	potential assessment methods and objects: Examine: [select from: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system authenticator types; change control records associated with managing information system authenticators; information system audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Automated mechanisms supporting and/or implementing authenticator management capability].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056