Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.7 Identification and authentication"
Shawndouglas (talk | contribs) (Created as needed.) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
Line 1: | Line 1: | ||
===Appendix 1.7 Identification and authentication=== | ===Appendix 1.7 Identification and authentication=== | ||
====IA-1 | ====IA-1 Policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update identification and authentication policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of identification and authentication action but also to address how those policies and procedures will be implemented, reviewed, and updated. | This control recommends the organization develop, document, disseminate, review, and update identification and authentication policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of identification and authentication action but also to address how those policies and procedures will be implemented, reviewed, and updated. | ||
Line 9: | Line 9: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2] | * [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4] | * [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7. | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2] | ||
====IA-2 Identification and authentication | ====IA-2 Identification and authentication (organizational users)==== | ||
This control recommends the system be able to identify and authenticate a user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on " | This control recommends the system be able to identify and authenticate a user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)." | ||
'''Additional resources''': | '''Additional resources''': | ||
Line 21: | Line 21: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3] | ||
====IA-2 (1) Identification and authentication | ====IA-2 (1) Identification and authentication (organizational users): Multi-factor authentication to privileged accounts==== | ||
This control enhancement recommends the system be able to implement multifactor authentication to privileged accounts being accessed | This control enhancement recommends the system be able to implement multifactor authentication to privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk." | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3] | ||
====IA-2 (2) Identification and authentication | ====IA-2 (2) Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts==== | ||
This control enhancement recommends the system be able to implement multifactor authentication to non-privileged accounts being accessed | This control enhancement recommends the system be able to implement multifactor authentication to non-privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk." | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.3] | ||
====IA-2 ( | ====IA-2 (10) Identification and authentication (organizational users): Single sign-on==== | ||
This control enhancement recommends the system be configurable to allow, if desired, single sign-on to specified system accounts and services, such that a user can log in once and gain access to multiple system resources. | This control enhancement recommends the system be configurable to allow, if desired, single sign-on to specified system accounts and services, such that a user can log in once and gain access to multiple system resources. | ||
Line 51: | Line 39: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.24] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.24] | ||
====IA-2 (12) Identification and authentication | ====IA-2 (12) Identification and authentication (organizational users): Acceptance of [personal identity verification] credentials==== | ||
This control enhancement recommends the system be capable of accepting and electronically verifying personal identity verification (PIV) credentials. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV">{{cite web |url=https:// | This control enhancement recommends the system be capable of accepting and electronically verifying personal identity verification (PIV) credentials. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV">{{cite web |url=https://playbooks.idmanagement.gov/piv/ |title=Introduction - PIV Guides |work=PIV Usage Guides |publisher=General Services Administration |accessdate=21 March 2023}}</ref> These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/ | * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.17] | ||
====IA-4 Identifier management==== | ====IA-4 Identifier management==== | ||
Line 64: | Line 52: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2] | * [https://csrc.nist.gov/publications/detail/sp/800-76/2/final NIST Special Publications 800-76-2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4] | * [https://csrc.nist.gov/publications/detail/sp/800-78/4/final NIST Special Publications 800-78-4] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.26 | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.26, 32.28] | ||
====IA-5 Authenticator management==== | ====IA-5 Authenticator management==== | ||
Line 70: | Line 58: | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https:// | * [https://playbooks.idmanagement.gov/arch/ FICAM Architecture Guide] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3] | * [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4] | * [https://csrc.nist.gov/publications/detail/sp/800-73/4/final NIST Special Publications 800-73-4] | ||
Line 79: | Line 66: | ||
====IA-5 (1) Authenticator management: Password-based authentication==== | ====IA-5 (1) Authenticator management: Password-based authentication==== | ||
This control enhancement recommends the system's password-based authentication be configurable to allow specific password-related rules set by the organization. This includes rules related to password complexity (case sensitivity, number of characters by type, uppercase-lowercase mix, numbers and special characters), minimum and maximum password lifetime rules, changed and updated password rules, and password reuse rules. The system should also be capable of allowing for the creation of temporary passwords and the storage and transmittal of passwords in an encrypted fashion. | This control enhancement recommends the system's password-based authentication be configurable to allow specific password-related rules set by the organization. This includes rules related to password complexity (i.e., case sensitivity, number of characters by type, uppercase-lowercase mix, numbers and special characters), minimum and maximum password lifetime rules, changed and updated password rules, and password reuse rules. The system should also be capable of allowing for the creation of temporary passwords and the storage and transmittal of passwords in an encrypted fashion. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.10] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.10] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.27, 32.28, and 32.40] | |||
====IA-6 Authentication feedback==== | |||
====IA-6 | |||
This control recommends the system obscure how authentication information, such as passwords, is entered, using mechanisms such as showing asterisks instead of the password characters or limiting visual feedback of each password character to an extremely brief period of time. | This control recommends the system obscure how authentication information, such as passwords, is entered, using mechanisms such as showing asterisks instead of the password characters or limiting visual feedback of each password character to an extremely brief period of time. | ||
Line 108: | Line 84: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.5] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.5] | ||
====IA-8 Identification and authentication | ====IA-8 Identification and authentication (non-organizational users)==== | ||
This control recommends the system be able to identify and authenticate a non-organizational user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on " | This control recommends the system be able to identify and authenticate a non-organizational user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)." | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https:// | * [https://playbooks.idmanagement.gov/pacs/ GSA Physical Access Control System Guide] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3] | * [https://csrc.nist.gov/publications/detail/sp/800-63/3/final NIST Special Publications 800-63-3] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final NIST Special Publications 800-116, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final NIST Special Publications 800-116, Rev. 1] | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.25, 32.35], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration 34.4], and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.3] | ||
====IA-8 (1) Identification and authentication | ====IA-8 (1) Identification and authentication (non-organizational users): Acceptance of [personal identity verification] credentials from other agencies==== | ||
This control enhancement recommends the system be capable of accepting and electronically verifying PIV credentials from more than just the primary organization or agency. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV" /> These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization. | This control enhancement recommends the system be capable of accepting and electronically verifying PIV credentials from more than just the primary organization or agency. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."<ref name="GSA_IntroPIV" /> These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/ | * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.17] | ||
====IA-8 (2) Identification and authentication | ====IA-8 (2) Identification and authentication (non-organizational users): Acceptance of external authenticators==== | ||
This control enhancement recommends the system be capable of accepting and electronically verifying | This control enhancement recommends the system be capable of accepting and electronically verifying NIST-compliant external authenticators (compliant with NIST SP 800-63B). | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https:// | * [https://doi.org/10.6028/NIST.SP.800-63b NIST Special Publications 800-63B] | ||
* No LIMSpec comp (LIMSpec currently doesn't address external authenticators) | |||
* No LIMSpec comp (LIMSpec currently doesn't address | |||
====IA-8 (4) Identification and authentication (non-organizational users): Use of defined profiles==== | |||
This control enhancement recommends a system that accepts and electronically verifies identity conform to open identity management standards. | |||
'''Additional resources''': | '''Additional resources''': | ||
* [https:// | * [https://www.okta.com/blog/2022/08/exploration-of-open-identity-standards/ Okta's "An Exploration of Open Identity Standards"] | ||
* No LIMSpec comp (LIMSpec currently doesn't address FICAM requirements) | * No LIMSpec comp (LIMSpec currently doesn't address FICAM requirements) |
Latest revision as of 15:55, 21 March 2023
Appendix 1.7 Identification and authentication
IA-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update identification and authentication policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of identification and authentication action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, pages 62–63
- NIST Special Publications 800-63-3
- NIST Special Publications 800-73-4
- NIST Special Publications 800-76-2
- NIST Special Publications 800-78-4
- LIMSpec 7.1, 7.2
IA-2 Identification and authentication (organizational users)
This control recommends the system be able to identify and authenticate a user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)."
Additional resources:
- NIST Special Publications 800-63-3
- NIST Special Publications 800-73-4
- NIST Special Publications 800-76-2
- NIST Special Publications 800-78-4
- LIMSpec 32.25, 32.35, 34.4, and 35.3
IA-2 (1) Identification and authentication (organizational users): Multi-factor authentication to privileged accounts
This control enhancement recommends the system be able to implement multifactor authentication to privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk."
Additional resources:
IA-2 (2) Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts
This control enhancement recommends the system be able to implement multifactor authentication to non-privileged accounts being accessed. "Multi-factor authentication requires the use of two or more different factors to achieve authentication." NIST adds that "[r]egardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk."
Additional resources:
IA-2 (10) Identification and authentication (organizational users): Single sign-on
This control enhancement recommends the system be configurable to allow, if desired, single sign-on to specified system accounts and services, such that a user can log in once and gain access to multiple system resources.
Additional resources:
IA-2 (12) Identification and authentication (organizational users): Acceptance of [personal identity verification] credentials
This control enhancement recommends the system be capable of accepting and electronically verifying personal identity verification (PIV) credentials. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."[1] These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization.
Additional resources:
IA-4 Identifier management
This control recommends the organization ensure the individual, group, role, and device identifiers in the system be selected, assigned, and disabled by authorized individuals or roles only. Those same individuals or roles will be responsible for both preventing the reuse of those identifiers for and disabling those identifiers after a specified period of time (including "never").
Additional resources:
- NIST Special Publications 800-73-4
- NIST Special Publications 800-76-2
- NIST Special Publications 800-78-4
- LIMSpec 32.26, 32.28
IA-5 Authenticator management
This control recommends the organization ensure the individual, group, role, and device receiving a new authenticator has their identity verified, while also ensuring those new authenticators are properly defined, are sufficiently strong, and are backed by administrative and cybersecurity policy and procedure. That policy and procedure should address how authenticators are managed if lost, compromised, or damaged, as well as how to revoke the authenticators. Policy and procedure should also address use and reuse restrictions, refreshing rules, protection recommendations, personnel and device safeguards, and membership/role changes for authenticators.
Additional resources:
- FICAM Architecture Guide
- NIST Special Publications 800-63-3
- NIST Special Publications 800-73-4
- NIST Special Publications 800-76-2
- NIST Special Publications 800-78-4
- LIMSpec 32.25, 32.26, 32.27, 32.34, and 32.35
IA-5 (1) Authenticator management: Password-based authentication
This control enhancement recommends the system's password-based authentication be configurable to allow specific password-related rules set by the organization. This includes rules related to password complexity (i.e., case sensitivity, number of characters by type, uppercase-lowercase mix, numbers and special characters), minimum and maximum password lifetime rules, changed and updated password rules, and password reuse rules. The system should also be capable of allowing for the creation of temporary passwords and the storage and transmittal of passwords in an encrypted fashion.
Additional resources:
IA-6 Authentication feedback
This control recommends the system obscure how authentication information, such as passwords, is entered, using mechanisms such as showing asterisks instead of the password characters or limiting visual feedback of each password character to an extremely brief period of time.
Additional resources: LIMSpec 32.41
IA-7 Cryptographic module verification
This control recommends the system be capable of authenticating access to a cryptographic module, ensuring the user is authorized to assume the requested role and perform role-based actions within that module.
Additional resources:
IA-8 Identification and authentication (non-organizational users)
This control recommends the system be able to identify and authenticate a non-organizational user or user-propagated process as a single, unique entity by using one or more mechanisms. The choice of these mechanisms will be guided by organizational policy, regulations, laws, standards, and guidance documents. According to NIST, authentication mechanisms will be based on "something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)."
Additional resources:
- GSA Physical Access Control System Guide
- NIST Special Publications 800-63-3
- NIST Special Publications 800-116, Rev. 1
- LIMSpec 32.25, 32.35, 34.4, and 35.3
IA-8 (1) Identification and authentication (non-organizational users): Acceptance of [personal identity verification] credentials from other agencies
This control enhancement recommends the system be capable of accepting and electronically verifying PIV credentials from more than just the primary organization or agency. The U.S. General Services Administration (GSA) says of PIV credentials: "PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings."[1] These types of credentials are most often associated with federal agencies, and as such this control enhancement may not be required for a non-federal entity or organization.
Additional resources:
IA-8 (2) Identification and authentication (non-organizational users): Acceptance of external authenticators
This control enhancement recommends the system be capable of accepting and electronically verifying NIST-compliant external authenticators (compliant with NIST SP 800-63B).
Additional resources:
- NIST Special Publications 800-63B
- No LIMSpec comp (LIMSpec currently doesn't address external authenticators)
IA-8 (4) Identification and authentication (non-organizational users): Use of defined profiles
This control enhancement recommends a system that accepts and electronically verifies identity conform to open identity management standards.
Additional resources:
- Okta's "An Exploration of Open Identity Standards"
- No LIMSpec comp (LIMSpec currently doesn't address FICAM requirements)
- ↑ 1.0 1.1 "Introduction - PIV Guides". PIV Usage Guides. General Services Administration. https://playbooks.idmanagement.gov/piv/. Retrieved 21 March 2023.