>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA-2Identification and Authentication (organizational Users)

LI-SaaS
Low
Moderate
High

>Control Description

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

IA-2 Requirement: For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B. IA-2 Requirement: Multi-factor authentication must be phishing-resistant. IA-2 Requirement: All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate. IA-2 Guidance: "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

>Discussion

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.

Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access.

Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks.

Internal networks include local area networks and wide area networks. The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

>Cross-Framework Mappings

SCF

IAC-02
Compare

>Programmatic Queries

Beta

Related Services

IAM Identity Center
MFA
AWS Directory Service

CLI Commands

Check MFA status for users
aws iam list-users --query 'Users[*].UserName' --output text | xargs -I {} aws iam list-mfa-devices --user-name {}
Get virtual MFA devices
aws iam list-virtual-mfa-devices
Check IAM Identity Center instances
aws sso-admin list-instances
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

OktaGoogle WorkspaceAWSMicrosoft AzureGoogle Cloud PlatformMicrosoft Entra IDAuth0Duo Security

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-2 (Identification And Authentication (Organizational Users))?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-2?
  • How frequently is the IA-2 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-2 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-2 requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-2?
  • How is IA-2 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-2 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-2?
  • What audit logs, records, reports, or monitoring data validate IA-2 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-2 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-2 compliance?

Ask AI

Configure your API key to use AI features.