myctrl.tools
Compare

IA-2(13)Out-Of-Band Authentication

>Control Description

Implement the following out-of-band authentication mechanisms under organization-defined conditions: organization-defined out-of-band authentication.

>Cross-Framework Mappings

SCF

IAC-02.4
Compare

>Supplemental Guidance

Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action.

For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone.

Out-of-band authentication can be used to mitigate actual or suspected man-in the-middle attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions.

>Related Controls

IA-10
IA-11
SC-37

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-2(13) (Out-Of-Band Authentication)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-2(13)?
  • How frequently is the IA-2(13) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-2(13) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-2(13) requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-2(13)?
  • How is IA-2(13) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-2(13) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-2(13)?
  • What audit logs, records, reports, or monitoring data validate IA-2(13) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-2(13) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-2(13) compliance?

Ask AI

Configure your API key to use AI features.