>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.5.2Identification and Authentication - Basic

Basic Requirement

>Control Description

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

>Discussion

Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length.

Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication.

Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities.

>Cross-Framework Mappings

CMMC

IA.L1-3.5.2
Compare

SCF

IAC-02
Compare
IAC-04
Compare
IAC-15.1
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern installation of security-relevant software updates?
  • What is your patch management process and timeline?
  • How do you prioritize patches and updates?
  • Who approves and deploys security updates?
  • What procedures address emergency patching?

Technical Implementation:

  • What patch management tools deploy security updates?
  • How do you automate patch deployment where possible?
  • What testing occurs before patch deployment?
  • How do you verify successful patch installation?
  • What mechanisms track patch compliance across systems?

Evidence & Documentation:

  • Can you provide patch deployment records and timelines?
  • What reports show patch compliance rates?
  • Can you demonstrate critical patches are installed promptly?
  • What evidence shows patch management process effectiveness?
  • What audit findings track patch installation compliance?

Ask AI

Configure your API key to use AI features.