3.5.1 has a weight of -5 points

(Identification and Authentication Family) 1/11

Identify system users, processes acting on behalf of users, and devices.

Video Explanation:

Objectives:

 

3.5.1 Assessment Objectives:

3.5.1[a] System users are identified.

3.5.1[b] Processes acting on behalf of users are identified

3.5.1[c] Devices accessing the system are identified

Example of Sysytem Security Plan (SSP):

    1. Established a process to identify system users, including individual users and processes acting on behalf of users, within the organization’s systems.
    2. Utilized common identifiers such as Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers to identify devices within the network.
    3. Managed individual identifiers for system users, such as user names associated with system accounts, ensuring that they are unique and accurately reflect the assigned individuals.
    4. Recognized that the management of individual identifiers is not applicable to shared system accounts, as shared accounts are used by multiple individuals and do not have specific individual identifiers.
    5. Evaluated the need for unique identification of individuals within group accounts or for detailed accountability of individual activity, implementing appropriate measures as required by organizational policies and security requirements.
    6. Identified and documented individual identifiers that are not necessarily associated with system accounts, such as identifiers used for authentication or authorization purposes.
    7. Defined organizational devices that require identification, either by type, specific device, or a combination of both, to accurately track and monitor their activities within the system.
    8. Incorporated guidance from SP 800-63-3 on digital identities, ensuring that best practices and industry standards are followed when managing digital identities and identity verification processes.
    9. Implemented mechanisms, such as user authentication and access control systems, to associate individual identifiers with their respective user accounts or processes, enabling accurate tracking and accountability.
    10. Conducted regular reviews and audits of user and device identifications to ensure accuracy, completeness, and adherence to the established identification policies and procedures.
    11. Updated and maintained a centralized repository or directory of user and device identifications for ease of management and reference.
    12. Integrated the identified user, process, and device information with other relevant security controls and monitoring systems to enhance the organization’s overall security posture and incident response capabilities.

     

    Example of Plan of Action and Milestones ( POA & M):

     Milestone 1: User and Device Identification Process Development
    Task 1: Establish a process to identify system users and processes acting on behalf of users by [Target Date].
    Task 2: Utilize common identifiers such as MAC addresses, IP addresses, or device-unique token identifiers to identify devices within the network by [Target Date].
    Task 3: Manage individual identifiers for system users, ensuring uniqueness and accuracy of assigned individuals by [Target Date].
    Milestone 2: Management of Identifiers for Shared and Group Accounts
    Task 1: Recognize that shared system accounts do not have individual identifiers and develop appropriate management measures by [Target Date].
    Task 2: Evaluate the need for unique identification within group accounts or detailed accountability of individual activity and implement measures as required by organizational policies and security requirements by [Target Date].
    Milestone 3: Identification of Individual Identifiers and Organizational Devices
    Task 1: Identify and document individual identifiers not necessarily associated with system accounts by [Target Date].
    Task 2: Define organizational devices that require identification, either by type, specific device, or a combination thereof, to accurately track and monitor their activities by [Target Date].
    Milestone 4: Implementation of Identification Mechanisms
    Task 1: Implement mechanisms such as user authentication and access control systems to associate individual identifiers with user accounts or processes by [Target Date].
    Task 2: Conduct regular reviews and audits of user and device identifications to ensure accuracy, completeness, and adherence to identification policies and procedures by [Target Date].
    Milestone 5: Centralized Repository and Integration with Security Controls
    Task 1: Update and maintain a centralized repository or directory of user and device identifications by [Target Date].
    Task 2: Integrate identified user, process, and device information with other relevant security controls and monitoring systems by [Target Date].

    Downloadable Worksheet:

    Sample Document of objectives documentation:

    Click here

    RELEVANT INFORMATION:

    Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities.

    Here’s an explanation of what the different aspects of this control mean:

    No Anonymous or Shared Access to CUI: CUI is sensitive information that requires careful handling. The control stipulates that no anonymous access or shared accounts can be involved when handling CUI. Every interaction with this information needs to be traceable to a specific user or service.

    Centralized Identity Management: Management of user identities is commonly done through centralized systems like Active Directory. This helps in controlling and tracking user access, ensuring that only authorized individuals can access the CUI.

    Authentication Mechanism Required: An authentication mechanism, such as a combination of a username and password, must be implemented. This ensures that access to the information is secure and restricted only to those with proper credentials.

    Every Service Must Have a Traceable Account: Every individual and service that interacts with CUI must have an account that is traceable. This ensures that any access or interaction with CUI can be audited and traced back to a specific entity. So if two people are currently sharing an account, you will need to make separate accounts.

    3.5.1 Assessment Objectives: These objectives are specific criteria to ensure that the system users, processes acting on behalf of users, and devices accessing the system are identified. This aids in tracking and controlling access to the system.

    Identifiers and Guidance: Common identifiers for devices include MAC addresses, IP addresses, or unique tokens. These are used to clearly identify devices accessing the CUI. Also, unique user identifiers are generally the usernames linked with the system accounts. SP 800-63-3 provides further guidance on digital identities.

    Not Applicable to Shared System Accounts: The requirement for managing individual identifiers is not meant for shared accounts. This emphasizes the need for individual identification rather than group or shared identification.

    In summary, control 3.5.1 emphasizes the need for stringent identification and authentication measures to ensure secure handling of CUI. It requires that every user, process, and device be uniquely identified, and it encourages the use of centralized management systems for effective tracking and control. By adhering to this control, an organization can enhance the security of sensitive information and comply with regulatory requirements.

     

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.