Device Class 1: Authenticator Management

Control ID: IA-5 Authenticator Management Family: Identification and Authentication Source: NIST 800-53r4
Control: The organization manages information system authenticators by:
  1. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
  2. Establishing initial authenticator content for authenticators defined by the organization;
  3. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  4. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  5. Changing default content of authenticators prior to information system installation;
  6. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
  7. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
  8. Protecting authenticator content from unauthorized disclosure and modification;
  9. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
  10. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance:
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

Related Controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28, IA-8
Control Enhancements:
(1) Authenticator Management | Password-based Authentication
The information system, for password-based authentication:
  1. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
  2. Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
  3. Stores and transmits only cryptographically-protected passwords;
  4. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
  5. Prohibits password reuse for [Assignment: organization-defined number] generations; and
  6. Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.
Related Controls: IA-6

(2) Authenticator Management | Pki-based Authentication
The information system, for PKI-based authentication:
  1. Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  2. Enforces authorized access to the corresponding private key;
  3. Maps the authenticated identity to the account of the individual or group; and
  4. Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.
Related Controls: IA-6
References: N/A
Mechanisms:

  • Device shall store encrypted hashed-password in a database (only accessible to privileged users) using strong encryption algorithm.
  • Device shall enforce password-related security policy (e.g. frequent change, difference between old and new passwords, length, etc.)
  • Device shall provide a secure mechanism for users to update their password .
  • Device shall only allow network login attempts over a secure channel .
  • Device shall require the old password for password reset by a user .
  • Device shall implement a secure mechanism for “forgot password.”
  • Device shall have a configuration file that describes the list of SCMS components and how to reach them.
  • Device shall provide connection to SCMS components.
  • Device shall be able to store PKI-based credentials.
  • Device shall support communication protocol as specified in IEEE 1609.2 .
  • Device shall support X.509 certificate chain construction .
Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
IA-5(1)/1 Stores encrypted hashed-password in a database (only accessible to privileged users) M Specify encryption algorithm
IA-5(1)/2 Enforces password-related security policy M Specify policy
IA-5(1)/3 Provides a secure mechanism for users to update their password M Specify password update mechanism
IA-5(1)/4 Allows network login attempts over a secure channel M
IA-5(1)/5 Requires old password for password reset by a user M
IA-5(1)/6 Implement a secure mechanism for “forgot password M Specify forgot password mechanism
IA-5(2)/7 Maintains a configuration file that describes the list of SCMS components and how to reach them M
IA-5(2)/8 Provides a connection to SCMS components M Specify connection mechanism
IA-5(2)/9 Stores PKI-based credentials M
IA-5(2)/10 Supports communication protocol as specified in IEEE 1609.2 M IEEE 1609.2
IA-5(2)/11 Supports X.509 certificate chain construction M