IA-5—Authenticator Management

LI-SaaS

Low

Moderate

High

>Control Description

Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators ⚙organization-defined time period by authenticator type or when ⚙organization-defined events occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

IA-5 Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3 IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

>Discussion

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password).

In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk.

The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators.

Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

>Cross-Framework Mappings

SCF

>Programmatic Queries

Beta

Related Services

Secrets Manager

Parameter Store

IAM

CLI Commands

List secrets

aws secretsmanager list-secrets

Check password policy

aws iam get-account-password-policy

List access keys older than 90 days

aws iam list-users --query 'Users[*].UserName' --output text | xargs -I {} sh -c 'aws iam list-access-keys --user-name {} --query "AccessKeyMetadata[?CreateDate<='$(date -d '90 days ago' +%Y-%m-%d)']"'

Open AWS Console Documentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Okta Microsoft Entra ID Auth0 Duo Security

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of IA-5 (Authenticator Management)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring IA-5?
•How frequently is the IA-5 policy reviewed and updated, and what triggers policy changes?
•What governance structure ensures IA-5 requirements are consistently applied across all systems?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce IA-5 requirements.
•What automated tools, systems, or technologies are deployed to implement IA-5?
•How is IA-5 integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce IA-5 requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of IA-5?
•What audit logs, records, reports, or monitoring data validate IA-5 compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of IA-5 effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate IA-5 compliance?

Ask AI

Configure your API key to use AI features.