← All Domains

IA — Identification and Authentication

new org

SPRS Score: -1203

Objective Progress 0 / 25 (0.0%)
CMMC Practices MET 0 / 11
Domain Score Impact -27

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

IA.L2-3.5.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Identify system users, processes acting on behalf of users, and devices.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.1[a] = Not Yet Assessed; 3.5.1[b] = Not Yet Assessed; 3.5.1[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.5.1[a]
    Determine if: system users are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.1[b]
    Determine if: processes acting on behalf of users are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.1[c]
    Determine if: devices accessing the system are identified.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; security plan, system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with information security responsibilities; system or network administrators; personnel with account management responsibilities; system developers].
Test: [SELECT FROM: Organizational processes for uniquely identifying and authenticating users; mechanisms supporting or implementing identification and authentication capability].
IA.L2-3.5.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.2[a] = Not Yet Assessed; 3.5.2[b] = Not Yet Assessed; 3.5.2[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.5.2[a]
    Determine if: the identity of each user is authenticated or verified as a prerequisite to system access.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.2[b]
    Determine if: the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.2[c]
    Determine if: the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; list of system authenticator types; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms supporting or implementing authenticator management capability].
IA.L2-3.5.3 DoD Weight: 5 Deduction: -5 Derived
Not Yet Assessed
Requirement: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.3[a] = Not Yet Assessed; 3.5.3[b] = Not Yet Assessed; 3.5.3[c] = Not Yet Assessed; 3.5.3[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.5.3[a]
    Determine if: privileged accounts are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.3[b]
    Determine if: multifactor authentication is implemented for local access to privileged accounts.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.3[c]
    Determine if: multifactor authentication is implemented for network access to privileged accounts.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.3[d]
    Determine if: multifactor authentication is implemented for network access to non-privileged accounts.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing multifactor authentication capability].
IA.L2-3.5.4 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.4 = Not Yet Assessed

Assessment Objectives (1)

  • 3.5.4
    Determine if: replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of privileged system accounts; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identification and authentication capability or replay resistant authentication mechanisms].
IA.L2-3.5.5 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Prevent reuse of identifiers for a defined period.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.5[a] = Not Yet Assessed; 3.5.5[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.5.5[a]
    Determine if: a period within which identifiers cannot be reused is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.5[b]
    Determine if: reuse of identifiers is prevented within the defined period.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].
Interview: [SELECT FROM: Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identifier management].
IA.L2-3.5.6 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Disable identifiers after a defined period of inactivity.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.6[a] = Not Yet Assessed; 3.5.6[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.5.6[a]
    Determine if: a period of inactivity after which an identifier is disabled is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.6[b]
    Determine if: identifiers are disabled after the defined period of inactivity.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].
Interview: [SELECT FROM: Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identifier management].
IA.L2-3.5.7 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Enforce a minimum password complexity and change of characters when new passwords are created.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.7[a] = Not Yet Assessed; 3.5.7[b] = Not Yet Assessed; 3.5.7[c] = Not Yet Assessed; 3.5.7[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.5.7[a]
    Determine if: password complexity requirements are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.7[b]
    Determine if: password change of character requirements are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.7[c]
    Determine if: minimum password complexity requirements as defined are enforced when new passwords are created.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.7[d]
    Determine if: minimum password change of character requirements as defined are enforced when new passwords are created.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
IA.L2-3.5.8 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Prohibit password reuse for a specified number of generations.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.8[a] = Not Yet Assessed; 3.5.8[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.5.8[a]
    Determine if: the number of generations during which a password cannot be reused is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.8[b]
    Determine if: reuse of passwords is prohibited during the specified number of generations.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
IA.L2-3.5.9 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Allow temporary password use for system logons with an immediate change to a permanent password
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.9 = Not Yet Assessed

Assessment Objectives (1)

  • 3.5.9
    Determine if: an immediate change to a permanent password is required when a temporary password is used for system logon.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
IA.L2-3.5.10 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Store and transmit only cryptographically-protected passwords.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.10[a] = Not Yet Assessed; 3.5.10[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.5.10[a]
    Determine if: passwords are cryptographically protected in storage.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.5.10[b]
    Determine if: passwords are cryptographically protected in transit.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
IA.L2-3.5.11 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Obscure feedback of authentication information.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.5.11 = Not Yet Assessed

Assessment Objectives (1)

  • 3.5.11
    Determine if: authentication information is obscured during the authentication process.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication].