>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.5.11Identification and Authentication - Derived

Derived Requirement

>Control Description

Obscure feedback of authentication information

>Discussion

The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards.

Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.

>Cross-Framework Mappings

CMMC

IA.L2-3.5.11
Compare

SCF

IAC-11
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address identification and authentication - derived for CUI systems?
  • Who is accountable for implementing and maintaining identification and authentication - derived controls?
  • How frequently are identification and authentication - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with identification and authentication - derived requirements?
  • How are exceptions to identification and authentication - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce identification and authentication - derived in your CUI environment?
  • How are identification and authentication - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support identification and authentication - derived compliance?
  • How do you validate that identification and authentication - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary identification and authentication - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves identification and authentication - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how identification and authentication - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing identification and authentication - derived compliance?
  • Can you show evidence of a recent review or assessment of identification and authentication - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate identification and authentication - derived compliance?

Ask AI

Configure your API key to use AI features.