Skip to main content
NetStable
Level 1 IA.L1-3.5.2

Authenticate (or verify) the identities of users, processes, or devices

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This control ensures that only authorized users, processes, or devices can access your systems. It requires verifying identities before granting access, like checking a username and password. This prevents unauthorized access and protects sensitive information. For example, when an employee logs into their work computer, the system checks their credentials. Similarly, a server might verify a device’s identity before allowing it to connect. This practice is crucial for maintaining security and preventing breaches.

🎯 Why It Matters

Without proper authentication, unauthorized users or devices can access sensitive data, leading to breaches, data theft, or system compromises. For instance, the 2017 Equifax breach exposed millions of records due to weak authentication controls. The DoD emphasizes this control to protect classified information and ensure only authorized access. The impact of failure includes financial losses, reputational damage, and potential loss of contracts. Proper authentication mitigates these risks by ensuring only verified entities can access critical systems.

βœ… How to Implement

  1. Enable Identity and Access Management (IAM) in your cloud provider (e.g., AWS IAM, Azure AD).
  2. Set up multi-factor authentication (MFA) for all user accounts.
  3. Configure role-based access control (RBAC) to limit permissions.
  4. Use cloud-native authentication tools (e.g., AWS Cognito, Azure AD B2C).
  5. Regularly audit and review access logs for anomalies.
⏱️
Estimated Effort
8-16 hours for setup, ongoing maintenance requires 2-4 hours monthly. Requires intermediate IT skills.

πŸ“‹ Evidence Examples

IAM Policy Document

Format: PDF
Frequency: Annually or after changes
Contents: Detailed IAM policies and configurations
Collection: Export from cloud provider console

MFA Enrollment Report

Format: CSV
Frequency: Quarterly
Contents: List of users with MFA enabled
Collection: Export from authentication tool

Access Logs

Format: Log file
Frequency: Monthly
Contents: Logs of authentication attempts
Collection: Export from authentication system

Password Policy

Format: Word document
Frequency: Annually or after changes
Contents: Password complexity and expiration rules
Collection: Create and maintain in IT policy repository

Training Records

Format: Spreadsheet
Frequency: Annually
Contents: List of employees trained on authentication policies
Collection: Maintain in HR system

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For IA.L1-3.5.2 ("Authenticate (or verify) the identities of users, processes, or devices"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how users, devices, and processes are identified and authenticated, including your IAM platform, password policies, MFA implementation, certificate management, and service account controls. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"IA.L1-3.5.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to authenticate (or verify) the identities of users, processes, or devices. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"IA.L1-3.5.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to authenticate (or verify) the identities of users, processes, or devices. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"IA.L1-3.5.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Identify all authentication entry points (local login, VPN, cloud, API)
  • β€’ Document the identity provider(s) and authentication flow
  • β€’ Specify MFA methods and coverage
  • β€’ Ensure this control covers all systems within your defined CUI boundary where authenticate (or verify) the identities of users, processes, or devices applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Identification and Authentication Policy
  • πŸ“„ Password policy configuration
  • πŸ“„ MFA enrollment records
  • πŸ“„ Service account registry
  • πŸ“„ Evidence artifacts specific to IA.L1-3.5.2
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will test authentication mechanisms, verify MFA is enforced for required access paths, check password policy configuration, and review service account documentation.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do all users have unique login credentials?

βœ… YES β†’ Proceed to Q2
❌ NO β†’ GAP: Implement unique credentials for each user. Timeline: 1 week

Question 2: Is MFA enabled for all user accounts?

βœ… YES β†’ Proceed to Q3
❌ NO β†’ GAP: Enable MFA for all accounts. Timeline: 2 weeks

Question 3: Are password policies enforced (e.g., complexity, expiration)?

βœ… YES β†’ Proceed to Q4
❌ NO β†’ GAP: Implement and enforce password policies. Timeline: 1 week

Question 4: Are authentication logs reviewed regularly?

βœ… YES β†’ Proceed to Q5
❌ NO β†’ GAP: Set up regular log reviews. Timeline: 2 weeks

Question 5: Are devices authenticated before accessing the network?

βœ… YES β†’ Compliant
❌ NO β†’ GAP: Implement device authentication. Timeline: 3 weeks

⚠️ Common Mistakes (What Auditors Flag)

1. Shared accounts

Why this happens: Convenience or lack of awareness
How to avoid: Enforce unique credentials for each user

2. Weak password policies

Why this happens: Lax enforcement or outdated policies
How to avoid: Implement and enforce strong password policies

3. MFA not enabled

Why this happens: Cost concerns or lack of understanding
How to avoid: Educate on MFA benefits and enable it for all accounts

4. Inconsistent authentication across environments

Why this happens: Separate cloud and on-premise management
How to avoid: Use hybrid identity solutions for consistency

5. Lack of regular log reviews

Why this happens: Resource constraints or oversight
How to avoid: Schedule regular log reviews and automate where possible

πŸ“š Parent Policy

This practice is governed by the Identification and Authentication Policy

View IA Policy β†’

πŸ“š Related Controls

IA.L1-3.5.1 IA.L1-3.5.3 IA.L2-3.5.4
Previous
IA.L1-3.5.1
Back to IA
Next
IA.L2-3.5.10