← Controls / IA

IA-05 Authenticator Management

Identification and Authentication

Low Moderate High

Description

The organization manages information system authenticators by: (i) defining initial authenticator content; (ii) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; (iii) changing default authenticators upon information system installation; and (iv) changing/refreshing authenticators periodically.

Supplemental Guidance

Information system authenticators include, for example, tokens, PKI certificates, biometrics, passwords, and key cards. Users take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. For password-based authentication, the information system: (i) protects passwords from unauthorized disclosure and modification when stored and transmitted; (ii) prohibits passwords from being displayed when entered; (iii) enforces password minimum and maximum lifetime restrictions; and (iv) prohibits password reuse for a specified number of generations. For PKI- based authentication, the information system: (i) validates certificates by constructing a certification path to an accepted trust anchor; (ii) establishes user control of the corresponding private key; and (iii) maps the authenticated identity to the user account. In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems (and associated authenticator management) may also be required to protect nonpublic or privacy-related information. FIPS 201 and Special Publications 800-73, 800-76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors. NIST Special Publication 800-63 provides guidance on remote electronic authentication.

Changes from Rev 4

Removes requirement to change default content of authenticators prior to information system installation New parameter requires specifying events that require changing or refreshing authenticators Changes 'security safeguards' to 'controls' Discussion includes new examples

Enhancements

(0) None.

MITRE ATT&CK Techniques (72)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 4 Execution 1 Persistence 19 Privilege Escalation 8 Defense Evasion 15 Credential Access 43 Discovery 1 Lateral Movement 8 Collection 3
Show all 72 techniques grouped by tactic

Credential Access

T1003 T1040 T1110 T1111 T1212 T1528 T1539 T1552 T1555 T1556 T1558 T1621 T1649 T1003.001 T1003.002 T1003.003 T1003.004 T1003.005 T1003.006 T1003.007 T1003.008 T1110.001 T1110.002 T1110.003 T1110.004 T1552.001 T1552.002 T1552.004 T1552.006 T1555.001 T1555.002 T1555.004 T1555.005 T1556.001 T1556.003 T1556.004 T1556.005 T1556.009 T1558.001 T1558.002 T1558.003 T1558.004 T1558.005

Compliance Mappings

ISO 27001:2022

A.5.16A.5.17A.8.5

ISO 27002:2022

5.165.178.5

COBIT 2019

DSS05

CIS Controls v8

CIS 14.3CIS 4.7CIS 5CIS 5.2

NIST CSF 2.0

PR.AA-01PR.AA-02PR.AA-04

SOC 2 TSC

CC6.1

PCI DSS v4.0.1

2.2.12.2.28.28.38.3.68.3.98.6

CSA CCM v4

IAM-02IAM-06IAM-14IAM-15

CSA AICM v1

IAM-02IAM-06IAM-14IAM-15

FINOS CCC

CCC-C11

IEC 62443

3-3 SR 1.13-3 SR 1.53-3 SR 1.7

MAS TRM

9

ASD Essential Eight

E8-5 ML3E8-7

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.10Hygiene.12RGS.2.2SecNumCloud.10.5

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.32(1)(b)

EU DORA

Art.9(3)Art.9(4)(c)Art.9(4)(d)

BIO2

5.165.178.5

RBI CSF

Annex1.8Annex1.9ITGRCA.19

FISC Security Guidelines

FISC.T10FISC.T2

LGPD + BCB 4893

BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.46

HKMA TM-E-1

TME1.10.4TME1.8.2TME1.8.3

MLPS 2.0

8.1.10.78.1.4.1

DNB Good Practice

DNB.17.1DNB.17.2

EU CRA

CRA.I.2d

SWIFT CSCF

SWIFT.4.1SWIFT.4.2SWIFT.5.2SWIFT.5.4

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1CTO-5

SA JS2

JS2-7.1JS2-8.1

CBN CSF

Part3.2

BoG CISD

CISD-IXCISD-VIII

POPIA

s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

CPMI-IOSCO PFMI

CG.PRPFMI.P17

FFIEC IS

II.C.15II.C.15(a)II.C.7(b)

NYDFS 500

500.12500.7

HIPAA Security Rule

§164.308(a)(4)(ii)(C)§164.308(a)(5)(ii)(D)§164.312(d)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.23.8(b)

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

ACIA

NERC CIP

CIP-007-6

10 CFR 73.54

RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.15.7

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 5.2

FIPS 140-3

FIPS 140-3 §7.4FIPS 140-3 §7.9

PCI HSM

9

Common Criteria

CC Part 2 — FIA

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

NAIC Insurance Data Security

4-access4B

PRA SS1/23

P-IT.1

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.a01.c

FDA 21 CFR Part 11

§11.10(d)§11.100(a)§11.100(b)§11.200(a)(1)§11.200(a)(1)(ii)§11.200(a)(2)§11.300(a)§11.300(b)§11.300(c)§11.300(e)

FDA Cybersecurity Guidance

SA-1

ISO 27799

9.39.4

NHS DSPT

NDG-4.1NDG-4.2NDG-4.3

OWASP MASVS v2.1

MASVS-AUTH-1MASVS-AUTH-2MASVS-NETWORK-2

CCSS v9.0

1.04.11.04.21.06.2

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)

Basel SCO60

SCO60.61SCO60.62SCO60.66

BSSC Standards

NOS-05NOS-08KMS-06KMS-07KMS-08GSP-11

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-03SEC-CD-05SEC-CD-06SEC-CD-07SEC-CD-16

ISO 17799 (legacy)

11.5.211.5.3

COBIT 4.1 (legacy)

None.