3.5.2 has a weight of -5 points
(Identification and Authentication Family) 2/11
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Video
Example of Sysytem Security Plan (SSP):
1. Introduction
[Company Name] is committed to maintaining robust and secure authentication protocols to protect organizational systems and Controlled Unclassified Information (CUI). This SSP outlines our practices, mechanisms, and measures to authenticate and verify the identities of users, processes, and devices.
2. Authentication Mechanisms
- User Authentication: Users must provide individual authenticators, such as passwords, key cards, or cryptographic devices, to gain access.
- Multi-Factor Authentication (MFA): Combines two or more different types of authenticators, ensuring a stronger authentication process.
- Device and Process Verification: Implemented mechanisms to verify the identities of devices and processes, including those that interact with organizational systems.
- Initial Authenticator Content: Ensured the organization’s security standards are met, such as minimum password length.
- Avoidance of Factory Default Credentials: Avoided easily discoverable default credentials that may pose security risks.
3. Authenticator Management
- Configuration and Management: Configured system components to support organization-defined settings and restrictions for authenticator characteristics.
- Managing Issued Authenticators: Managed authenticators securely, revoking and removing them when no longer needed.
- Compliance with SP 800-63-3: Followed best practices on digital identities for authenticator management and identity verification.
- Reviews and Assessments: Conducted regular assessments to ensure effectiveness and alignment with industry practices.
- User Education: Educated users on strong authentication practices, including the protection of passwords.
4. Monitoring and Logging
- Monitoring and Logging of Events: Captured relevant information on authentication events, supporting incident response, auditing, and investigations.
- Integration with Other Security Controls: Integrated with access control systems, enhancing overall system protection.
5. Access Control and Verification Philosophy
Access control at [Company Name] is more than just implementing technical measures. It’s about understanding who needs access to what information and ensuring that the right people have the right access. This approach is evidenced by:
- Controlled Access: No open access to CUI, with verification required for access to ensure authorized interaction.
- Physical Access Control: Measures like security badges and camera verification at entrances for physical areas where CUI is handled.
- Layered Security: Collaborative integration of IT security controls, including passwords and multi-factor authentication.
6. Conclusion
The authentication and verification practices outlined in this SSP underscore [Company Name]’s commitment to security and compliance. As we continue to evolve and adapt to new threats, we remain steadfast in our dedication to ensuring that our systems, users, and information are protected.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for [Company Name]
| Item No. | Action Item | Responsibility | Milestone Date | Resources Needed | Status |
|---|---|---|---|---|---|
| 1 | Implement Multi-Factor Authentication (MFA) | IT Department | MM/DD/YYYY | Hardware tokens, software development | In Progress |
| 2 | Educate Users on Strong Authentication Practices | HR & Security Team | MM/DD/YYYY | Training materials, personnel time | Planned |
| 3 | Review and Update Password Policies | IT Security Team | MM/DD/YYYY | Policy documentation | Completed |
| 4 | Integrate Authentication with Access Control Systems | IT & Security Team | MM/DD/YYYY | Integration tools, software licenses | In Progress |
| 5 | Conduct Regular Authentication Mechanism Assessments | Security Audit Team | MM/DD/YYYY | Assessment tools, personnel time | Planned |
| 6 | Implement Security Camera Verification at Front Desk | Facilities & Security Team | MM/DD/YYYY | Cameras, monitoring systems | In Progress |
| 7 | Remove and Revoke Unnecessary Authenticators | IT Security Team | MM/DD/YYYY | Access to authenticator systems | Completed |
| 8 | Comply with SP 800-63-3 for Digital Identities | Compliance Team | MM/DD/YYYY | Compliance documentation, legal consultation | Planned |
| 9 | Monitor and Log Authentication Events | IT & Security Team | MM/DD/YYYY | Monitoring tools, software licenses | In Progress |
Additional Remarks
- Item No. 1: The implementation of MFA is critical to enhancing the overall security posture. It requires a combination of hardware and software solutions.
- Item No. 2: The user education campaign should be continuous, and it will require collaboration between HR and the Security Team.
- Item No. 8: Adherence to SP 800-63-3 standards will require a detailed understanding of the legal and compliance landscape, possibly necessitating external consultation.
This POA&M is subject to regular review and updates to ensure alignment with organizational goals and compliance requirements. All responsible parties should be aware of their roles and remain committed to the timely completion of these action items.
The dates, resources, and statuses in the above POA&M would need to be tailored specifically to your organization’s needs and current status. It’s also crucial to involve relevant stakeholders to ensure that the POA&M is practical and aligned with the broader organizational strategy.
RELEVANT INFORMATION:
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.