myctrl.tools
Compare

IA-5(12)Biometric Authentication Performance

>Control Description

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements organization-defined biometric quality requirements.

>Cross-Framework Mappings

SCF

IAC-10.12
Compare

>Supplemental Guidance

Unlike password-based authentication, which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide exact matches. Depending on the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis for comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users.

Biometric performance requirements include the match rate, which reflects the accuracy of the biometric matching algorithm used by a system.

>Related Controls

AC-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-5(12) (Biometric Authentication Performance)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-5(12)?
  • How frequently is the IA-5(12) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-5(12) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-5(12) requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-5(12)?
  • How is IA-5(12) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-5(12) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-5(12)?
  • What audit logs, records, reports, or monitoring data validate IA-5(12) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-5(12) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-5(12) compliance?

Ask AI

Configure your API key to use AI features.