compliance controls are associated with this Policy definition 'Identify and authenticate non-organizational users' (e1379836-3492-6395-451d-2f5062e14136)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IA-8 |
FedRAMP_High_R4_IA-8 |
FedRAMP High IA-8 |
Identification And Authentication |
Identification And Authentication (Non- Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. |
link |
1 |
| FedRAMP_Moderate_R4 |
IA-8 |
FedRAMP_Moderate_R4_IA-8 |
FedRAMP Moderate IA-8 |
Identification And Authentication |
Identification And Authentication (Non- Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. |
link |
1 |
| hipaa |
0861.09m2Organizational.67-09.m |
hipaa-0861.09m2Organizational.67-09.m |
0861.09m2Organizational.67-09.m |
08 Network Protection |
0861.09m2Organizational.67-09.m 09.06 Network Security Management |
Shared |
n/a |
To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution, or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. |
|
7 |
| hipaa |
0870.09m3Organizational.20-09.m |
hipaa-0870.09m3Organizational.20-09.m |
0870.09m3Organizational.20-09.m |
08 Network Protection |
0870.09m3Organizational.20-09.m 09.06 Network Security Management |
Shared |
n/a |
Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. |
|
8 |
| hipaa |
1006.01d2System.1-01.d |
hipaa-1006.01d2System.1-01.d |
1006.01d2System.1-01.d |
10 Password Management |
1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Passwords are not included in automated log-on processes. |
|
5 |
| hipaa |
1122.01q1System.1-01.q |
hipaa-1122.01q1System.1-01.q |
1122.01q1System.1-01.q |
11 Access Control |
1122.01q1System.1-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. |
|
7 |
| hipaa |
1424.05j2Organizational.5-05.j |
hipaa-1424.05j2Organizational.5-05.j |
1424.05j2Organizational.5-05.j |
14 Third Party Assurance |
1424.05j2Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The organization has a formal mechanism to authenticate the customer's identity prior to granting access to covered information. |
|
8 |
| ISO27001-2013 |
A.10.1.2 |
ISO27001-2013_A.10.1.2 |
ISO 27001:2013 A.10.1.2 |
Cryptography |
Key Management |
Shared |
n/a |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
link |
15 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| ISO27001-2013 |
A.9.2.1 |
ISO27001-2013_A.9.2.1 |
ISO 27001:2013 A.9.2.1 |
Access Control |
User registration and de-registration |
Shared |
n/a |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
link |
27 |
| ISO27001-2013 |
A.9.4.2 |
ISO27001-2013_A.9.4.2 |
ISO 27001:2013 A.9.4.2 |
Access Control |
Secure log-on procedures |
Shared |
n/a |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
link |
17 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
IA-8 |
NIST_SP_800-53_R4_IA-8 |
NIST SP 800-53 Rev. 4 IA-8 |
Identification And Authentication |
Identification And Authentication (Non- Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. |
link |
1 |
| NIST_SP_800-53_R5 |
IA-8 |
NIST_SP_800-53_R5_IA-8 |
NIST SP 800-53 Rev. 5 IA-8 |
Identification and Authentication |
Identification and Authentication (non-organizational Users) |
Shared |
n/a |
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |
link |
1 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
| PCI_DSS_v4.0 |
8.2.7 |
PCI_DSS_v4.0_8.2.7 |
PCI DSS v4.0 8.2.7 |
Requirement 08: Identify Users and Authenticate Access to System Components |
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle |
Shared |
n/a |
Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows:
• Enabled only during the time period needed and disabled when not in use.
• Use is monitored for unexpected activity. |
link |
6 |