Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
NIST 800-53 (r4) Supplemental Guidance:
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5.
References:
None.
NIST 800-53 (r5) Discussion:
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs. Related Controls: AC-17, AC-18, AC-19, AU-6, CA-3, CA-9, IA-4, IA-5, IA-9, IA-11, SI-4.
38North Guidance:
Meets Minimum Requirement:
Uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:
A local connection;
A remote connection; and/or
A network connection
Best Practice:
Implement device authentication for all physical and virtual components.
Maintain an accurate and up-to-date inventory control system of all system components including details such as:
Hostname
IP Address
MAC Address
Conduct host discovery scanning to ensure current inventory is accurate.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Inventory spreadsheet
Host discovery scan results
SIEM tool report results demonstrating that no duplicate host-names or IP’s exist within the FedRAMP boundary.
List of certificates or API keys used by devices
CSP Implementation Tips: TBD
Page updated
Report abuse