CMMC v2.11 Practices

IA.L2-3.5.2  

Reference: CMMC v2.11

Family: IA

Level Introduced: 2

Title: Authentication [CUI Data]

Practice:
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Further Discussion:
Before a person or device is given system access, verify that the user or device is who or what it claims to be. This verification is called authentication. The most common way to verify identity is using a username and a hard-to-guess password.

Some devices ship with default usernames and passwords. Some devices ship with a default username (e.g., admin) and password. A default username and password must be immediately changed to something unique. Default passwords may be well known to the public, easily found in a search, or easy to guess, allowing an unauthorized person to access the system.

Example 1
You are in charge of purchasing. You know that some laptops come with a default username and password. You notify IT that all default passwords should be reset prior to laptop use [a]. You ask IT to explain the importance of resetting default passwords and convey how easily they are discovered using internet searches during next week’s cybersecurity awareness training.

Example 2
Your company decides to use cloud services for email and other capabilities. Upon reviewing this requirement, you realize every user or device that connects to the cloud service must be authenticated. As a result, you work with your cloud service provider to ensure that only properly authenticated users and devices are allowed to connect to the system [a,c].

Potential Assessment Considerations
• Are unique authenticators used to verify user identities (e.g., passwords) [a]?
• An example of a process acting on behalf of users could be a script that logs in as a person or service account [b]. Can the OSA show that it maintains a record of all of those service accounts for use when reviewing log data or responding to an incident?
• Are user credentials authenticated in system processes (e.g., credentials binding, certificates, tokens) [b]?
• Are device identifiers used in authentication processes (e.g., MAC address, non-anonymous computer name, certificates) [c]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11