Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].
NIST 800-53 (r4) Supplemental Guidance:
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-2(1) and IA-2(2).]
38North Guidance:
Meets Minimum Requirement:
Information systems, for hardware token-based authentication, employ mechanisms that satisfy organization-defined token quality requirements.
Best Practice:
Implement documentation requirements for what tokens are able to be utilized within the environment including encryption strengths and including storing the crypto keys on the tokens.
Implement hardware MFA tokens for user authentication that are FIPS 140-2 or FIPS 140-3 validated.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Demonstration of multi-factor authentication into the FedRAMP environment, specifically non-privileged account access into the environment, on components such as edge routers or network devices from both CLI & GUI interfaces (if applicable) if non-privileged accounts are able to access these devices.
Screenshots of MFA configurations for accessing components in the environment to verify that tokens are utilized as well as a memorized secret.
Page updated
Report abuse