Back

Establish, implement, and maintain an identification and authentication policy.


CONTROL ID
14033
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

This Control has the following implementation support Control(s):
  • Include the purpose in the identification and authentication policy., CC ID: 14234
  • Include the scope in the identification and authentication policy., CC ID: 14232
  • Include roles and responsibilities in the identification and authentication policy., CC ID: 14230
  • Include management commitment in the identification and authentication policy., CC ID: 14229
  • Include coordination amongst entities in the identification and authentication policy., CC ID: 14227
  • Include compliance requirements in the identification and authentication policy., CC ID: 14225
  • Disseminate and communicate the identification and authentication policy to interested personnel and affected parties., CC ID: 14197
  • Establish, implement, and maintain identification and authentication procedures., CC ID: 14053


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • identification and authentication: determination of who or what is requesting access and confirmation of the purported identity; (¶ 39(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The user authentication procedures are defined and implemented based on the business-related and security-relevant requirements: (4.1.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • The requirements for the handling of identification means over the entire lifecycle are determined and fulfilled. The following aspects are considered: (4.1.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • To apply effective access control as described in Principle 9: secure user management, you must have confidence in the authentication method used to determine the identity performing the access. (10. ¶ 3, Cloud Security Guidance, 2)
  • User and system identification and authentication policy and procedure requirements are established, documented, managed, monitored and enforced for users and systems accessing the entity's information, infrastructure platforms and network devices, application systems, data storage systems and utili… (S7.1 Manages identification and authentication, Privacy Management Framework, Updated March 1, 2020)
  • Documented. (8.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (8.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Authentication policies and procedures are documented and communicated to all users including: (8.3.8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures that are identified in Requirement 8 are managed in accordance with all elements specified in this requirement. (8.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Review authentication policies and procedures that are distributed to users and verify they include the elements specified in this requirement. (8.3.8.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authentication policies and procedures are documented and communicated to all users including: (8.3.8, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authentication policies and procedures are documented and communicated to all users including: (8.3.8, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authentication policies and procedures are documented and communicated to all users including: (8.3.8, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (8.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (8.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (8.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Authentication policies and procedures are documented and communicated to all users including: (8.3.8, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. (CC6.1 ¶ 3 Bullet 8 Manages Identification and Authentication, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The management of authenticators should be specified in applicable security policies and procedures, for example, constraints to change default authenticators, refresh periods, specification of the protection of authenticators or firecall procedures. (5.7.2 ¶ 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • IN GENERAL.—The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secret… (§ 1173(b)(1), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • The requirement to use or not use AA is dependent upon the physical, personnel, and technical security controls associated with the user location and whether CJI is accessed directly or indirectly. AA shall not be required for users requesting access to CJI from within the perimeter of a physically … (§ 5.6.2.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • AA shall be required when the requested service has built AA into its processes and requires a user to provide AA before granting access. EXAMPLES: (§ 5.6.2.2.1 ¶ 4, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • When accessing CJI from an authorized mobile device, advanced authentication shall be used by the authorized user unless the access to CJI is indirect as described in Section 5.6.2.2.1. If access is indirect, then AA is not required. (§ 5.13.7.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Possession and registration of an agency issued smartphone or tablet as an indication it is the authorized user (§ 5.13.7.2.1 ¶ 4 Bullet 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The requirement to use or not use AA is dependent upon the physical, personnel, and technical security controls associated with the user location and whether CJI is accessed directly or indirectly. AA shall not be required for users requesting access to CJI from within the perimeter of a physically … (§ 5.6.2.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • When accessing CJI from an authorized mobile device, advanced authentication shall be used by the authorized user unless the access to CJI is indirect as described in Section 5.6.2.2.1. If access is indirect, then AA is not required. (§ 5.13.7.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identification and authentication policy [FedRAMP Assignment: at least annually]; and (IA-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identification and authentication policy [FedRAMP Assignment: at least every 3 years]; and (IA-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identification and authentication policy [FedRAMP Assignment: at least every 3 years]; and (IA-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (IA-1c.1, FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (IA-1c.1, FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (IA-1c.1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • One problem with passwords unique to the ICS environment is that a user's ability to recall and enter a password may be impacted by the stress of the moment. During a major crisis when human intervention is critically required to control the process, an operator may panic and have difficulty remembe… (§ 6.2.7.1 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system- level] identification and authentication policy that: (IA-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (IA-1c.1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (IA-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Identification and authentication policy [Assignment: organization-defined frequency]; and (IA-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Develop identification and badging policies and procedures for personnel who have access to secure areas or sensitive information. These policies should address: (Table 1: Personnel Identification and Badging Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • Identification and authentication policy [TX-RAMP Assignment: at least every 3 years]; and (IA-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (IA-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • Identification and authentication policy [TX-RAMP Assignment: at least every 3 years]; and (IA-1b.1., TX-RAMP Security Controls Baseline Level 2)