🎫 11 Practices
NIST 3.5.1 - 3.5.11
Identification and Authentication Policy
Identification and Authentication Domain (IA)
📖 What This Policy Covers
Identification and Authentication is about proving 'you are who you say you are' before granting access. This policy covers unique user identifiers, identity verification processes, password requirements, multi-factor authentication (MFA), cryptographic authentication (certificates, SSH keys), device authentication (802.1X, NAC), federated identity and SSO, service account management, and privileged access authentication. It works hand-in-hand with the Access Control policy -- IA proves identity, AC determines what that identity can access.
Purpose
This policy ensures that users and devices are uniquely identified before accessing systems, authentication mechanisms are strong enough to prevent unauthorized access, credentials are properly managed and protected throughout their lifecycle, and the organization meets CMMC Level 2 requirements for identity management.
Scope
Applies to all employees, contractors, vendors, service accounts, and automated processes. Covers all information systems, applications, databases, and network devices processing CUI. Includes all authentication methods: passwords, MFA, certificates, biometrics, API keys, and SSH keys across cloud, on-premise, hybrid, and SaaS environments.
🎯 Why It Matters
Stolen or weak credentials are the #1 attack vector -- 80% of breaches involve compromised credentials (Verizon DBIR). Without strong identification and authentication, access controls are meaningless because anyone can impersonate a legitimate user. MFA alone blocks 99.9% of automated attacks (Microsoft). This domain has 11 practices, making it the second-largest family after Access Control, reflecting how critical identity is to security.
🔐 Key Requirements
1. User Identification
Every user, process, and device must have a unique identifier with proper identity verification before access is granted.
- ✓ Every user has a unique identifier ([email protected] or first initial + last name)
- ✓ Service accounts use svc-[purpose] naming (e.g., svc-backup, svc-api)
- ✓ Shared accounts prohibited (no 'admin', 'support', 'developer' accounts)
- ✓ Emergency break-glass accounts: documented, monitored, reviewed monthly
- ✓ Identity verified before provisioning: employees via HR onboarding + photo ID, contractors via NDA + sponsor verification
- ✓ Audit trail associates all actions to specific user ID
2. Password Requirements
Strong password standards, secure storage, and proper lifecycle management.
- ✓ Minimum 14 characters with 3 of 4 complexity types (upper, lower, number, special)
- ✓ Prohibited: dictionary words, company name, username, sequential/repeated characters
- ✓ Password history: last 12 cannot be reused; no reuse within 1 year
- ✓ Expiration: standard 90 days, privileged 60 days, service accounts 180 days, cloud with MFA 120 days
- ✓ Lockout: 5 consecutive failures triggers 30-minute lockout with notification to user + IT Security
- ✓ Temporary passwords: system-generated, valid 24 hours max, forced change on first login
- ✓ Storage: NEVER plaintext, hashed with FIPS 140-2 approved algorithms (bcrypt, Argon2, PBKDF2), salted, encrypted at rest
3. Multi-Factor Authentication (MFA)
MFA requirements, acceptable methods, enrollment, and replay resistance.
- ✓ MFA required for: all privileged accounts, remote access (VPN/cloud), CUI systems, email, cloud consoles, access from non-company IPs
- ✓ Acceptable methods (preference order): hardware tokens (YubiKey), authenticator apps, push notifications, biometrics; SMS only temporary
- ✓ Prohibited: voice call OTP, email OTP
- ✓ Enrollment within 48 hours of account creation; each user registers 2+ MFA methods
- ✓ Replay resistance: TOTP codes valid 30 seconds and non-reusable, nonce-based challenges, session tokens bound to IP and device
- ✓ 100% enrollment tracked via monthly reports
4. Cryptographic Authentication
Certificate-based authentication, PKI management, SSH key management, and FIPS-validated cryptographic modules.
- ✓ Certificate-based auth required for: service-to-service APIs, privileged infrastructure access (SSH, RDP), device auth (802.1X), code signing
- ✓ Certificate standards: RSA 2048-bit minimum (4096-bit or ECC P-256+ preferred), max 397 days validity
- ✓ PKI: company-operated internal CA, auto-enrollment via GPO/Intune, revocation within 24 hours of compromise
- ✓ SSH keys: ED25519 preferred, RSA 4096-bit minimum, passphrase required, 180-day rotation for privileged access
- ✓ FIPS 140-2 validated modules required; SHA-256+ hash functions; AES-256 encryption; SHA-1 prohibited
5. Device Authentication
Device identity verification and network access control.
- ✓ All devices enrolled in MDM with unique device ID (serial, asset tag, device certificate)
- ✓ 802.1X authentication for wired and wireless networks using device certificates
- ✓ Posture assessment before network access: AV enabled, firewall enabled, patches current, encryption enabled
- ✓ Non-compliant devices quarantined to remediation VLAN
- ✓ IoT/headless devices: certificate-based auth only, device attestation via TPM, mutual TLS
6. Service Account & Non-Human Identities
Management of service accounts, API keys, and automated process identities.
- ✓ Unique identifier per service/application (svc-db-backup)
- ✓ Documentation required: purpose, owner, systems accessed, permissions, credential storage, last review date
- ✓ Preferred auth: certificate-based or managed identities (Azure MI, AWS IAM roles)
- ✓ If password required: 32+ character random, stored in vault (Azure Key Vault, HashiCorp Vault), rotated every 180 days automatically
- ✓ API keys rotated every 90 days, stored in secrets management
- ✓ Quarterly review; disabled immediately when service retired
7. Privileged Access Authentication
Enhanced authentication requirements for administrative and privileged accounts.
- ✓ Separate accounts: standard (jsmith) + privileged (jsmith-admin)
- ✓ MFA mandatory with no exceptions; session recording via PAM
- ✓ Just-In-Time (JIT) temporary elevation preferred over standing access
- ✓ Every privileged access requires ticket/justification
- ✓ Break-glass accounts: 32+ char password in sealed envelope in physical safe, monitored 24/7, password changed within 1 hour of use
👥 Roles & Responsibilities
CISO / IT Director
- • Overall accountability for identity and authentication program
- • Approve authentication standards and exceptions
- • Review authentication logs quarterly
- • Ensure compliance with this policy
IT Department / Identity Administrators
- • Implement and maintain IAM systems (Active Directory, Azure AD)
- • Provision unique identifiers, enforce password policies and MFA
- • Monitor authentication failures and anomalies
- • Maintain identity lifecycle (creation, modification, deletion)
Human Resources (HR)
- • Provide new hire information for identity provisioning
- • Notify IT of terminations/role changes within 24 hours
- • Coordinate identity verification for new users
Application Owners / System Administrators
- • Configure authentication requirements per this policy
- • Implement MFA for all CUI-handling systems
- • Document service account usage
- • Report authentication issues to IT Security
All Users
- • Protect personal credentials (no sharing)
- • Report lost/stolen authentication devices within 1 hour
- • Complete MFA enrollment within 48 hours of account creation
- • Report suspicious authentication requests immediately
🛠️ Implementation Roadmap (8 Weeks)
1
Identity Foundation
Weeks 1-2- → Week 1: Audit existing identities, identify shared accounts, standardize naming to firstname.lastname, create separate admin accounts, document service accounts
- → Week 2: Configure password policy via GPO (14 char min, 12 history, 90-day expiry, 5-attempt lockout), enable Azure AD Password Protection with banned word list, deploy password manager company-wide
2
Multi-Factor Authentication
Weeks 3-4- → Week 3: Select MFA provider, configure Conditional Access / IAM MFA policies, procure hardware tokens (YubiKey) for privileged users
- → Week 4: Roll out MFA -- Phase 1: admins, Phase 2: remote users, Phase 3: all users. Create training materials, track enrollment daily, escalate non-compliance after 48 hours
3
Certificate-Based Authentication
Weeks 5-6- → Week 5: Deploy Certificate Authority (Windows Server CA or Azure AD CA), define certificate templates, configure auto-enrollment via GPO/Intune
- → Week 6: Inventory service accounts, migrate to certificate auth where possible, deploy secrets vault (Azure Key Vault / HashiCorp Vault), configure automated credential rotation
4
Device Authentication & Monitoring
Weeks 7-8- → Week 7: Configure 802.1X on network switches (RADIUS + device certificates), pilot with IT department, roll out by floor/department
- → Week 8: Configure SIEM to ingest auth logs (Azure AD sign-ins, AD events 4625/4740/4771, VPN, SSH), create dashboards and alerts, assign 24/7 on-call rotation
Recommended Tools
Azure AD / Active Directory (identity)Microsoft Authenticator / Duo / Okta (MFA)YubiKey / Titan Security Key (hardware tokens)Azure Key Vault / HashiCorp Vault (secrets management)Windows Server CA / DigiCert (PKI)LastPass / 1Password / Bitwarden (password managers)Microsoft Intune / JAMF (MDM / certificate deployment)
📊 CMMC Practice Mapping
| Practice ID | Requirement | Policy Section |
|---|---|---|
| IA.L1-3.5.1 | Identify users, processes, devices | 1, 5, 6 |
| IA.L1-3.5.2 | Authenticate users, processes, devices | 1, 4, 5 |
| IA.L2-3.5.3 | Use multi-factor authentication | 3 |
| IA.L2-3.5.4 | Employ replay-resistant authentication | 3 |
| IA.L2-3.5.5 | Prevent reuse of identifiers | 1, 2 |
| IA.L2-3.5.6 | Disable inactive accounts | See AC Policy |
| IA.L2-3.5.7 | Enforce minimum password complexity | 2 |
| IA.L2-3.5.8 | Prohibit password reuse | 2 |
| IA.L2-3.5.9 | Allow temp password use only once | 2 |
| IA.L2-3.5.10 | Store/transmit passwords cryptographically | 2, 6 |
| IA.L2-3.5.11 | Obscure feedback during authentication | Built into OS |
📋 Evidence Requirements
These are the artifacts a C3PAO assessor will ask for. Start collecting early.
Password Policy GPO / Azure AD Config Screenshots
Format: PNG/PDF
Frequency: Quarterly or after changes
Contents: Group Policy Management console showing password settings (min length 14, history 12, lockout 5). Azure AD Password Protection showing banned word list.
Tip: Capture both on-prem GPO and cloud password policy. Show the exact settings matching your policy requirements.
MFA Configuration Screenshot
Format: PNG/PDF
Frequency: Quarterly or after changes
Contents: Azure AD Conditional Access policy requiring MFA showing policy name, users/groups, cloud apps, grant controls
Tip: Show the Conditional Access policy in 'Report-only' first, then 'On'. Capture the policy details including which users/apps are covered.
MFA Enrollment Report
Format: CSV/Excel
Frequency: Monthly
Contents: User list with MFA status (Enabled/Enforced/Disabled). Target: 100% Enforced for CUI access.
Tip: Use PowerShell: Get-MsolUser -All | Select DisplayName, UserPrincipalName, StrongAuthenticationRequirements. Highlight any gaps with remediation timelines.
Failed Authentication Log
Format: CSV
Frequency: Monthly
Contents: Last 30 days of failed login attempts with timestamp, username, source IP, reason (wrong password, locked out)
Tip: Source from Azure AD Sign-in logs or AD Event ID 4625. Show that lockout policy is enforced (5 failed = locked).
Service Account Registry
Format: Excel/SharePoint
Frequency: Updated continuously, reviewed quarterly
Contents: Account name, purpose, owner, last reviewed, auth method, credential location
Tip: Include every service account -- even ones that seem low-risk. Assessors check for completeness.
Certificate Inventory
Format: CSV
Frequency: Quarterly
Contents: Certificate subject, serial number, expiration date, usage, issued to
Tip: Export from PKI management console or Azure Key Vault. Flag any certificates expiring within 30 days.
Password Policy Test Results
Format: PDF with screenshots
Frequency: Quarterly
Contents: Test 1: weak password rejected. Test 2: no complexity rejected. Test 3: reuse rejected. Test 4: lockout after 5 failures.
Tip: Use a test account. Screenshot each attempt and result. Include tester name and date.
Training Records
Format: PDF/Excel
Frequency: Annual training, ongoing for new hires
Contents: Roster for 'Password Security Best Practices' and 'MFA Enrollment Workshop', quiz results (80% pass rate minimum)
Tip: Include acknowledgment forms showing users received and agreed to the policy.
⚠️ Common Gaps (What Assessors Flag)
1. Shared or generic accounts still in use
Why this happens: Legacy systems require a shared login, or teams share 'admin' for convenience.
How to close the gap: Inventory all shared accounts. For each: either convert to individual accounts, or document as an exception with compensating controls (e.g., PAM session recording, IP restrictions).
2. MFA not covering all required access paths
Why this happens: MFA deployed for cloud console but VPN, on-prem apps, or SSH still use password-only.
How to close the gap: Map every access path to CUI systems. Ensure MFA is enforced on each one. For legacy apps, use a reverse proxy or jump server with MFA.
3. Service accounts with stale credentials
Why this happens: Service accounts were set up years ago and nobody owns them. Passwords haven't been rotated.
How to close the gap: Assign an owner to every service account. Move credentials to a vault with automated rotation. Disable unused accounts after 90 days.
4. No password manager deployed
Why this happens: Budget constraints or user resistance. Users resort to sticky notes or password reuse.
How to close the gap: Deploy a password manager (Bitwarden is free for small teams). Include in security awareness training. Make it the default for all new accounts.
📝 Template Customization Guide
When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:
[COMPANY NAME] Your organization's legal name
Example: Acme Defense Systems, LLC
[CISO Name] Name of your CISO or IT Director
Example: Jane Smith
[MM/DD/YYYY] Policy dates
Example: 03/01/2026
[certificate management system] Your PKI/certificate management tool
Example: DigiCert CertCentral
[Service Account Registry] Where service accounts are documented
Example: SharePoint list at /sites/IT/ServiceAccounts
Customization Tips
- 💡 If your organization doesn't operate a PKI, use a third-party CA and document the arrangement
- 💡 Adjust MFA method preferences based on your user population (remote workers may prefer mobile app over hardware token)
- 💡 For service accounts, prioritize managed identities (Azure MI, AWS IAM roles) over password-based auth
- 💡 If 14-character passwords cause significant pushback, implement passphrase guidance (e.g., 'correct-horse-battery-staple')
- 💡 Document any systems that cannot support MFA and describe compensating controls (IP restrictions, VPN-only access, enhanced logging)