← Controls / IA

IA-02 User Identification And Authentication

Identification and Authentication

Low Moderate High

Description

The information system uniquely identifies and authenticates users (or processes acting on behalf of users).

Supplemental Guidance

Users are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in accordance security control AC-14. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. NIST Special Publication 800-63 provides guidance on remote electronic authentication including strength of authentication mechanisms. For purposes of this control, the guidance provided in Special Publication 800-63 is applied to both local and remote access to information systems. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Local access is any access to an organizational information system by a user (or an information system) communicating through an internal organization-controlled network (e.g., local area network) or directly to a device without the use of a network. Unless a more stringent control enhancement is specified, authentication for both local and remote information system access is NIST Special Publication 800-63 level 1 compliant. FIPS 201 and Special Publications 800-73, 800-76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors. In addition to identifying and authenticating users at the information system level (i.e., at system logon), identification and authentication mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. In accordance with OMB policy and E-Authentication E-Government initiative, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. The e-authentication risk assessment conducted in accordance with OMB Memorandum 04-04 is used in determining the NIST Special Publication 800-63 compliance requirements for such accesses with regard to the IA-02 control and its enhancements. Scalability, practicality, and security issues are simultaneously considered in balancing the need to ensure ease of use for public access to such information and information systems with the need to protect organizational operations, organizational assets, and individuals. Related security controls: AC-14, AC-17.

MITRE ATT&CK Techniques (173)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 6 Execution 20 Persistence 53 Privilege Escalation 43 Defense Evasion 59 Credential Access 42 Discovery 6 Lateral Movement 18 Collection 11 Exfiltration 1 Impact 2
Show all 173 techniques grouped by tactic

Persistence

T1053 T1078 T1098 T1133 T1136 T1197 T1505 T1525 T1542 T1543 T1556 T1574 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.007 T1136.001 T1136.002 T1136.003 T1505.002 T1505.004 T1542.001 T1542.003 T1542.005 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1547.004 T1547.006 T1547.009 T1547.012 T1547.013 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.009 T1574.005 T1574.010 T1574.012

Privilege Escalation

T1053 T1055 T1078 T1098 T1134 T1484 T1543 T1548 T1574 T1611 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1055.008 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.007 T1134.001 T1134.002 T1134.003 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1547.004 T1547.006 T1547.009 T1547.012 T1547.013 T1548.002 T1548.003 T1574.005 T1574.010 T1574.012

Defense Evasion

T1055 T1078 T1134 T1197 T1218 T1222 T1484 T1542 T1548 T1550 T1556 T1562 T1574 T1578 T1599 T1601 T1610 T1036.007 T1036.010 T1055.008 T1078.002 T1078.003 T1078.004 T1134.001 T1134.002 T1134.003 T1218.007 T1222.001 T1222.002 T1542.001 T1542.003 T1542.005 T1548.002 T1548.003 T1550.001 T1550.002 T1550.003 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.009 T1562.001 T1562.002 T1562.004 T1562.006 T1562.007 T1562.008 T1562.009 T1574.005 T1574.010 T1574.012 T1578.001 T1578.002 T1578.003 T1599.001 T1601.001 T1601.002

Credential Access

T1003 T1040 T1110 T1111 T1212 T1528 T1539 T1552 T1556 T1558 T1621 T1649 T1003.001 T1003.002 T1003.003 T1003.004 T1003.005 T1003.006 T1003.007 T1003.008 T1056.003 T1110.001 T1110.002 T1110.003 T1110.004 T1552.001 T1552.002 T1552.004 T1552.006 T1552.007 T1555.005 T1556.001 T1556.003 T1556.004 T1556.006 T1556.007 T1556.009 T1558.001 T1558.002 T1558.003 T1558.004 T1558.005

Compliance Mappings

ISO 27001:2022

A.5.16A.8.5

ISO 27002:2022

5.168.5

COBIT 2019

DSS05

CIS Controls v8

CIS 12.5CIS 12.7CIS 5CIS 5.6CIS 6.3CIS 6.4CIS 6.5

NIST CSF 2.0

PR.AA-01PR.AA-03PR.AA-04

SOC 2 TSC

CC6.1CC6.1-POF3CC6.1-POF4CC6.1-POF8

PCI DSS v4.0.1

8.18.38.48.5

CSA CCM v4

IAM-10IAM-13IAM-14IAM-15

CSA AICM v1

IAM-10IAM-13IAM-14IAM-15IAM-17

FINOS CCC

CCC-C03CCC-C11

IEC 62443

3-3 SR 1.1

NIS2 Directive

Art. 21(2)(j)

MAS TRM

149

ASD Essential Eight

E8-7E8-7 ML1E8-7 ML2E8-7 ML3

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.10Hygiene.11Hygiene.12RGS.2.2SecNumCloud.10.5

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)Art.32(1)(d)

EU DORA

Art.9(4)(c)Art.9(4)(d)

BIO2

5.168.5

RBI CSF

Annex1.8Annex1.9ITGRCA.19

FISC Security Guidelines

FISC.T10FISC.T11FISC.T2

LGPD + BCB 4893

BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.46

HKMA TM-E-1

TME1.10.2TME1.10.4TME1.8.2TME1.8.3TME1.8.5

MLPS 2.0

8.1.4.18.2

DNB Good Practice

DNB.17.1

EU CRA

CRA.I.2d

SWIFT CSCF

SWIFT.1.2SWIFT.4.2

SAMA CSF

3.1

NCA ECC

2-25-1

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1CTO-5

SA JS2

JS2-7.1JS2-8.1

CBN CSF

Part3.2Part5.2

BoG CISD

CISD-IXCISD-VIII

POPIA

s19

BoM CTRM

3.133.3

IOSCO Cyber Resilience

PROT-1

CPMI-IOSCO PFMI

CG.PRPFMI.P17

FFIEC IS

II.C.15II.C.15(a)II.C.15(b)II.C.15(c)II.C.16II.C.7(b)

NYDFS 500

500.12500.7

HIPAA Security Rule

§164.310(a)(2)(iii)§164.312(a)(2)(i)§164.312(d)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.23.8(b)

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2Ch8.2Ch9.1

CMMC 2.0

ACIA

NERC CIP

CIP-005-7

10 CFR 73.54

RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.1

FERC CIP Orders

Order 850

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 5.2

PCI PTS v6

C

FIPS 140-3

FIPS 140-3 §7.4

Common Criteria

CC Part 2 — FIA

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

NAIC Insurance Data Security

4-access4B

PRA SS1/23

P-IT.1

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.a01.c

FDA 21 CFR Part 11

§11.10(d)§11.100(a)§11.200(a)(1)§11.200(a)(1)(ii)§11.200(a)(2)§11.200(a)(3)

FDA Cybersecurity Guidance

SA-1

ISO 27799

9.39.4H.5

NHS DSPT

NDG-4.1NDG-4.3

OWASP MASVS v2.1

MASVS-AUTH-1MASVS-AUTH-2MASVS-AUTH-3

CCSS v9.0

1.03.51.04.11.04.31.05.11.05.3

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.72(1)Art.76(1)

Basel SCO60

SCO60.62SCO60.66SCO60.71

BSSC Standards

NOS-05KMS-06GSP-11

SEC Custody (Digital Assets)

SEC-CD-03SEC-CD-05SEC-CD-16

ISO 17799 (legacy)

11.2.311.4.211.5.2

COBIT 4.1 (legacy)

AI2.4DS5.3