Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization requires that the registration process to receive [FedRAMP Assignment: (M)(H) All hardware/biometric (multifactor authenticators)] be conducted [FedRAMP Selection: (M)(H) in-person] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
None.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-12(4).]
38North Guidance:
Meets Minimum Requirement:
Requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles.
Best Practice:
Implemented documented processes in place to request MFA tokens for personnel accessing the FedRAMP environment.
Implemented documented processes in place to distribute MFA hardware tokens or setting up software tokens from creation of accounts, initial password setup and how the tokens are delivered and verify the individual receiving the tokens are the intended individual by requesting a photo badge or government ID to prove identity.
Implement documented processes for managing and controlling the MFA hardware and software tokens.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Documented workflow processes of how MFA hardware and software tokens are distributed, controlled, and managed for the FedRAMP environment.
CSP Implementation Tips: TBD
Page updated
Report abuse