IA-02 Identification and Authentication (Organizational Users)

Baselines

Guidance

Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

References 17

• FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
• FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
• FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
• SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
• SP 800-73-4 Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
• SP 800-76-2 Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2.
• SP 800-78-4 Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4.
• SP 800-79-2 Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2.
• SP 800-156 Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156.
• SP 800-166 Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166.
• IR 7539 Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539.
• IR 7676 Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676.
• IR 7817 Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817.
• IR 7849 Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849.
• IR 7870 Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870.
• IR 7874 Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874.
• IR 7966 Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966.

Control Enhancements 13

• IA-02(01) Multi-factor Authentication to Privileged Accounts L M H P
• IA-02(02) Multi-factor Authentication to Non-privileged Accounts L M H P
• IA-02(03) Local Access to Privileged Accounts
• IA-02(04) Local Access to Non-privileged Accounts
• IA-02(05) Individual Authentication with Group Authentication L M H P
• IA-02(06) Access to Accounts —separate Device L M H P
• IA-02(07) Network Access to Non-privileged Accounts — Separate Device
• IA-02(08) Access to Accounts — Replay Resistant L M H P
• IA-02(09) Network Access to Non-privileged Accounts — Replay Resistant
• IA-02(10) Single Sign-on L M H P
• IA-02(11) Remote Access — Separate Device
• IA-02(12) Acceptance of PIV Credentials L M H P
• IA-02(13) Out-of-band Authentication L M H P

Related controls 18

• AC-02 Account Management L M H P
• AC-03 Access Enforcement L M H P
• AC-04 Information Flow Enforcement L M H P
• AC-14 Permitted Actions Without Identification or Authentication L M H P
• AC-17 Remote Access L M H P
• AC-18 Wireless Access L M H P
• AU-01 Policy and Procedures L M H P
• AU-06 Audit Record Review, Analysis, and Reporting L M H P
• IA-04 Identifier Management L M H P
• IA-05 Authenticator Management L M H P
• IA-08 Identification and Authentication (Non-organizational Users) L M H P
• IA-13 Identity Providers and Authorization Servers L M H P
• MA-04 Nonlocal Maintenance L M H P
• MA-05 Maintenance Personnel L M H P
• PE-02 Physical Access Authorizations L M H P
• PL-04 Rules of Behavior L M H P
• SA-04 Acquisition Process L M H P
• SA-08 Security and Privacy Engineering Principles L M H P