Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
NIST 800-53 (r4) Supplemental Guidance:
For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process. Related Controls: RA-2.
38North Guidance:
Meets Minimum Requirement:
Protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
Best Practice:
Implement mechanisms to protect passwords/crypto keys/other authenticators.
Ensure that all passwords that are stored or in transit are encrypted by salting and hashing the passwords by utilizing MFA solutions that are FIPS-140-2 or FIPS-140-3 validated such as hardware tokens such as YubiKey, RSA, Gemalto etc. Or software tokens such as Google Authenticator, RSA, DUO etc.
Ensure VPN traffic into the boundary is protected by TLS 1.2 or greater.
Ensure each MFA token has its own unique serial number.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of the MFA process authenticating into the environment.
Screenshots of MFA tokens used that they are FIPS 140-2 or FIPS-140-3 validated.
TLS encryption settings for VPN traffic verifying that TLS 1.2 or greater is being utilized.
CSP Implementation Tips: TBD
Page updated
Report abuse