This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
NIST 800-53 (r4) Supplemental Guidance:
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13.
References: FIPS Publication 140; Web: http://csrc.nist.gov/groups/STM/cmvp/index.html.
NIST 800-53 (r5) Discussion:
Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.
Related Controls: AC-3.
38North Guidance:
Meets Minimum Requirement:
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Best Practice:
Implement strong encryption mechanisms such as TLS 1.2 or higher that are FIPS 140-2 or 140-3 validated when using mutual authentication.
If utilizing active directory services which use Kerberos, ensure that AES-256 is being used for the encryption algorithms.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of MFA tokens to ensure that the CSP is utilizing FIPS 140-2 or FIPS 140-3 validated encryption.
TLS settings for VPN traffic allowed access to the FedRAMP boundary to ensure TLS 1.2 or greater is being utilized.
CSP Implementation Tips: TBD