Control: The information system uniquely identifies and authenticates organisational users (or processes acting on behalf of organisational users).
Supplemental Guidance: Organisational users include employees or individuals that organisations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorised use of group authenticators without individual authentication. Organisations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organisations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multi factor authentication, or some combination thereof. Access to organisational information systems is defined as either local access or network access. Local access is any access to organisational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organisational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organisation- controlled endpoints and non-organisation controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organisations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organisational implementation plans. Multi factor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multi factor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organisations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organisational users are described in IA-8.
Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.
Identification and Authentication Control Enhancements:
IA-2 (1) Identification and Authentication - Network Access to Privileged Accounts
The information system implements multi factor authentication for network access to privileged accounts.
Supplemental Guidance: Related control: AC-6.
IA-2 (2) Identification and Authentication - Network Access to Non-Privileged Accounts
The information system implements multi factor authentication for network access to non- privileged accounts.
IA-2 (3) Identification and Authentication - Local Access to Privileged Accounts
The information system implements multi-factor authentication for local access to privileged accounts.
Supplemental Guidance: Related control: AC-6.
IA-2 (4) Identification and Authentication - Local Access to Non-Privileged Accounts
The information system implements multi factor authentication for local access to non-privileged accounts.
IA-2 (5) Identification and Authentication - Group Authentication
The organisation requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
Supplemental Guidance: Requiring individuals to use individual authenticators as a second level of authentication helps organisations to mitigate the risk of using group authenticators.
IA-2 (6) Identification and Authentication - Network Access to Privileged Accounts - Separate Device
The information system implements multi-factor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organisation-defined strength of mechanism requirements].
Supplemental Guidance: Related control: AC-6.
IA-2 (7) Identification and Authentication - Network Access to Non-Privileged Accounts - Separate Device
The information system implements multi factor authentication for network access to non- privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organisation-defined strength of mechanism requirements].
IA-2 (8) Identification and Authentication - Network Access to Privileged Accounts - Replay Resistant
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay- resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
IA-2 (9) Identification and Authentication - Network Access to Non-Privileged Accounts - Replay Resistant
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
IA-2 (10) Identification and Authentication - Single Sign-On
The information system provides a single sign-on capability for [Assignment: organisation-defined information system accounts and services].
Supplemental Guidance: Single sign-on enables users to log in once and gain access to multiple information system resources. Organisations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources.
IA-2 (11) Identification and Authentication - Remote access - Separate device
The information system implements multi-factor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organisation-defined strength of mechanism requirements].
Supplemental Guidance: For remote access to privileged / non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organisational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorised users.
Related control: AC-6.
IA-2 (12) Identification and Authentication - Acceptance of PIV Credentials
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
Supplemental Guidance: This control enhancement applies to organisations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.
IA-2 (13) Identification and Authentication - Out of band Authentication
The information system implements [Assignment: organisation-defined out-of-band authentication] under [Assignment: organisation-defined conditions].
Supplemental Guidance: Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated