Ready to get compliant?

Show Me How
Talk To Us

NIST SP 800-171 Requirement 3.5: Identification & Authentication

Businesses that work with the Department of Defense (DoD) as contractors or vendors need to meet specific cybersecurity regulations. The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The fifth of the 14 Families of Requirements for NIST 800-171 compliance is Identification and Authentication. 

What is Identification & Authentication in Terms of NIST 800-171?

This is a central authentication requirement to manage permissions and access to the network. Through this, a business can identify and properly authenticate all network users,and impose a common schema for user identification with strong authentication. The NIST guidelines also require implementing multi-factor authentication. Planning and implementation of this process requires thoughtful network architecting, meeting minimum requirements for network access, and applicable policies.

A single sign-on (SSO) system, managed through a Central Authentication Service (CAS) provides user identification and authentication. Windows Active Directory and Azure AD are commonly used central authentication services, and can be easily integrated with multi-factor authentication solutions. Identification and authentication have 2 Basic, 9 Derived requirements. 

Basic Requirements

  • 3.5.1 Identify system users, processes acting on behalf of users, and devices.
  • 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Derived Requirements

  • 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
  • 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.
  • 3.5.5 Prevent reuse of identifiers for a defined period.
  • 3.5.6 Disable identifiers after a defined period of inactivity
  • 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
  • 3.5.8 Prohibit password reuse for a specified number of generations.
  • 3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
  • 3.5.10 Store and transmit only cryptographically-protected passwords.
  • 3.5.11 Obscure feedback of authentication information.

For a guide to digital identities check out SP 800-63. To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC

Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here. Keep up with our latest content by following NeQter Labs on Twitter, Facebook, LinkedIn, and Youtube.

Related Posts

Talk To Us