compliance controls are associated with this Policy definition 'Require use of individual authenticators' (08ad71d0-52be-6503-4908-e015460a16ae)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IA-2(5) |
FedRAMP_High_R4_IA-2(5) |
FedRAMP High IA-2 (5) |
Identification And Authentication |
Group Authentication |
Shared |
n/a |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
Supplemental Guidance: Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. |
link |
1 |
| FedRAMP_Moderate_R4 |
IA-2(5) |
FedRAMP_Moderate_R4_IA-2(5) |
FedRAMP Moderate IA-2 (5) |
Identification And Authentication |
Group Authentication |
Shared |
n/a |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
Supplemental Guidance: Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. |
link |
1 |
| hipaa |
1178.01j2Organizational.7-01.j |
hipaa-1178.01j2Organizational.7-01.j |
1178.01j2Organizational.7-01.j |
11 Access Control |
1178.01j2Organizational.7-01.j 01.04 Network Access Control |
Shared |
n/a |
Node authentication, including cryptographic techniques (e.g., machine certificates), can serve as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility. |
|
4 |
| NIST_SP_800-171_R2_3 |
.5.1 |
NIST_SP_800-171_R2_3.5.1 |
NIST SP 800-171 R2 3.5.1 |
Identification and Authentication |
Identify system users, processes acting on behalf of users, and devices. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. |
link |
9 |
| NIST_SP_800-53_R4 |
IA-2(5) |
NIST_SP_800-53_R4_IA-2(5) |
NIST SP 800-53 Rev. 4 IA-2 (5) |
Identification And Authentication |
Group Authentication |
Shared |
n/a |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
Supplemental Guidance: Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. |
link |
1 |
| NIST_SP_800-53_R5 |
IA-2(5) |
NIST_SP_800-53_R5_IA-2(5) |
NIST SP 800-53 Rev. 5 IA-2 (5) |
Identification and Authentication |
Individual Authentication with Group Authentication |
Shared |
n/a |
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. |
link |
1 |
| PCI_DSS_v4.0 |
8.2.2 |
PCI_DSS_v4.0_8.2.2 |
PCI DSS v4.0 8.2.2 |
Requirement 08: Identify Users and Authenticate Access to System Components |
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle |
Shared |
n/a |
Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
• Account use is prevented unless needed for an exceptional circumstance.
• Use is limited to the time needed for the exceptional circumstance.
• Business justification for use is documented.
• Use is explicitly approved by management.
• Individual user identity is confirmed before access to an account is granted.
• Every action taken is attributable to an individual user. |
link |
4 |