>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA-11Re-authentication

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Require users to re-authenticate when organization-defined circumstances or situations requiring re-authentication.

>DoD Impact Level Requirements

Additional Requirements and Guidance

IA-11 Guidance: The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are: - AAL3 (high baseline) -- 12 hours or -- 15 minutes of inactivity

>Discussion

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

>Programmatic Queries

Beta

Related Services

Cognito
IAM
STS

CLI Commands

Check Cognito refresh token settings
aws cognito-idp describe-user-pool --user-pool-id POOL_ID --query 'UserPool.{RefreshTokenValidity:RefreshTokenValidity,TokenValidityUnits:TokenValidityUnits}'
Get IAM role session duration
aws iam get-role --role-name ROLE --query 'Role.MaxSessionDuration'
Check STS session policies
aws sts get-session-token --duration-seconds 900
List Cognito device tracking
aws cognito-idp describe-user-pool --user-pool-id POOL_ID --query 'UserPool.DeviceConfiguration'
Open AWS ConsoleDocumentation

>Related Controls

AC-3
AC-11
IA-2
IA-3
IA-4
IA-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-11 (Re-Authentication)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-11?
  • How frequently is the IA-11 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-11 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-11 requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-11?
  • How is IA-11 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-11 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-11?
  • What audit logs, records, reports, or monitoring data validate IA-11 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-11 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-11 compliance?

Ask AI

Configure your API key to use AI features.