OVERVIEW (IA-1)

This policy document provides security policy requirements for the management of user identification and authentication which is required to safeguard access to information and information systems.

IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) (IA-2)

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS ) (IA-2(1))

The information system implements multi-factor authentication for network access to privileged accounts. (POAM)

IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS (IA-2 (12))

PIV is not supported or required by the application.

IDENTIFIER MANAGEMENT (IA-4)

The organization manages information system identifiers by:

  1. Receiving authorization from IT Management to assign an individual, group, role, or device identifier
  2. Selecting an identifier that identifies an individual, group, role, or device (typically email)
  3. Assigning the identifier to the intended individual, group, role, or device
  4. Preventing reuse of identifiers for minimum of 2 years
  5. Disabling the identifier after 90 of account inactivity

AUTHENTICATOR MANAGEMENT (IA-5)

The organization manages information system authenticators by:

  1. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator
  2. Establishing initial authenticator content for authenticators defined by the organization
  3. Ensuring that authenticators have sufficient strength of mechanism for their intended use
  4. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators
  5. Changing default content of authenticators prior to information system installation
  6. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators
  7. Protecting authenticator content from unauthorized disclosure and modification
  8. Changing authenticators for group/role accounts when membership to those accounts changes.

AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION (IA-5 (1))

The information system, for password-based authentication:

  1. Enforces minimum password complexity of a minimum of 8 characters, 1 special character, 1 uppercase and 1 numeric character.
  2. Enforces at least the following number of changed characters when new passwords are created: 1 character change required
  3. Stores and transmits only encrypted representations of passwords
  4. Passwords/passphrases must be changed at least: Every 90 days for user accounts. Every 60 days for privileged accounts. Every 180 days for device, service and application accounts.
  5. Enforces password resets to a maximum of 8 per day
  6. Prohibits password reuse for a minimum of 24 generations
  7. Allows the use of a temporary password for system logons with an immediate change to a permanent password.

AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION (IA-5 (11))

Token-based authentication is not supported or required by the application.

AUTHENTICATOR FEEDBACK (IA-6)

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

CRYPTOGRAPHIC MODULE AUTHENTICATION (IA-7)

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Reference System and Communication Protection Policy for more information on cryptographic keys.

IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) (IA-8)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES (IA-8 (1))

PIV is not supported or required by the application.

IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTY CREDENTIALS (IA-8 (2))

The information system accepts only FICAM-approved third-party credentials (SAML 2.0 and OpenID 2.0 are supported).

IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PRODUCTS (IA-8 (3))

The organization employs only FICAM-approved information system components in to accept third-party credentials.

IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES (IA-8 (4))

The information system conforms to FICAM-issued profiles.

AUDIT

Access Control Audit (AC002) Access Control Policy covers IA-4 inactivity requirement.

  • Annual Management Review (MR002) includes review of this policy.