Description
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Supplemental Guidance
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.
Changes from Rev 4
New control in Rev 5.
MITRE ATT&CK Techniques (7)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Persistence 2 Defense Evasion 2 Credential Access 7
Defense Evasion
Compliance Mappings
ISO 27001:2022
A.8.5
ISO 27002:2022
5.178.5
COBIT 2019
DSS05
MAS TRM
9
BSI IT-Grundschutz
ORP.4
BIO2
5.178.5
RBI CSF
Annex1.8
HKMA TM-E-1
TME1.10.4TME1.8.3
MLPS 2.0
8.1.4.1
EU CRA
CRA.I.2d
SAMA CSF
3.1
NCA ECC
2-2
UAE IA
T9
CBB TM
TM-6
Qatar NIA
AC
CBUAE
CR-4
CBE CSF
CTO-1
SA JS2
JS2-7.1JS2-8.1
CBN CSF
Part3.2
BoG CISD
CISD-VIII
BoM CTRM
3.3
FFIEC IS
II.C.15
HIPAA Security Rule
§164.308(a)(5)(ii)(D)§164.312(d)
EBA ICT Guidelines
3.8(b)
BOT Cyber Resilience
Ch2.2
CMMC 2.0
IA
Common Criteria
CC Part 2 — FIA
HITRUST CSF v11
01.c
FDA 21 CFR Part 11
§11.200(a)(1)(i)§11.200(a)(1)(ii)
FDA Cybersecurity Guidance
SA-1
ISO 27799
9.4
NHS DSPT
NDG-4.3
OWASP MASVS v2.1
MASVS-AUTH-3