3.5.3 has a weight of -3 to 5 points

(Identification and Authentication Family) 3/11

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.[24] [25].

Video

Example of Sysytem Security Plan (SSP):

    1. System Security Plan (SSP) – Example

      I. Introduction

      This System Security Plan (SSP) details the measures implemented by our organization to comply with the requirements of NIST SP800-171, focusing on Control 3.5.3 concerning multifactor authentication (MFA). The following sections explain how we have deployed MFA and related security measures to ensure secure access to our systems.

      II. MFA Implementation for Privileged and Non-Privileged Accounts

      1. Privileged Accounts:

        • Implementation: Implemented MFA for local and network access to privileged accounts, requiring at least two different factors to authenticate users.
        • Authentication Factors: Utilized various factors such as passwords, cryptographic devices, tokens, or biometrics to establish robust authentication.
        • MFA Solutions: Deployed MFA solutions involving hardware tokens, smart cards, or commercial MFA solutions with replay resistance.
      2. Non-Privileged Accounts:

        • Extension of MFA: Extended MFA to network access for non-privileged accounts, requiring multiple authentication factors for users or processes accessing the systems through network connections.
        • Network Access: Implemented MFA across various networks including LANs, WANs, and the Internet.
        • Remote Access: Identified and implemented MFA for remote access connections, using additional security measures like encrypted VPNs.
      3. Tokens and Credentials:

        • Hard and Soft Tokens: Utilized both hard (e.g., smart cards) and soft tokens to securely store user credentials.
      4. Integration at System and Application Levels:

        • Integration Points: Integrated MFA mechanisms at both system (e.g., at logon) and application levels when necessary to enhance information security and prevent unauthorized access.
      5. Compliance and Best Practices:

        • Guidance and Standards: Followed guidance provided in SP 800-63-3 for digital identity best practices, including MFA.
        • Regular Review: Regularly reviewed and updated MFA mechanisms and processes to align with evolving threats, industry best practices, and organizational needs. 

     

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Implementation of Multifactor Authentication (MFA) for Privileged Accounts
    Task 1: Implement MFA for local access to privileged accounts, requiring users to authenticate using two or more different factors by [Target Date].
    Task 2: Utilize different authentication factors, such as passwords, cryptographic identification devices, or biometrics, to establish strong authentication for privileged account access by [Target Date].
    Task 3: Deploy MFA solutions, including physical authenticators like hardware tokens or smart cards, with replay resistance for enhanced security by [Target Date].

    Milestone 2: Extension of Multifactor Authentication to Network Access
    Task 1: Implement MFA for network access, requiring users or processes to authenticate using multiple factors for non-privileged accounts by [Target Date].
    Task 2: Identify remote access as a type of network access and implement MFA for remote connections, utilizing additional security measures like encrypted VPNs by [Target Date].

    Milestone 3: Utilization of Multifactor Authentication Mechanisms
    Task 1: Utilize hard tokens or soft tokens to securely store user credentials as part of the MFA process by [Target Date].
    Task 2: Integrate MFA mechanisms at the system level (e.g., at logon) and, when necessary, at the application level for increased information security by [Target Date].

    Milestone 4: Compliance with Standards and Best Practices
    Task 1: Follow the guidance provided in SP 800-63-3 for best practices and standards regarding digital identities and multifactor authentication by [Target Date].

    Milestone 5: Regular Reviews and Updates
    Task 1: Regularly review and update multifactor authentication mechanisms and processes to adapt to evolving threats, industry best practices, and organizational needs by [Target Date].

    MFA Tools:

    Implementing multifactor authentication (MFA) requires a combination of hardware, software, and cloud-based tools. Depending on your organization’s specific needs and the scale of implementation, various solutions might be suitable. Here are some common tools you might consider:

    1. Hardware Tokens:

    • Yubico’s YubiKey: A physical hardware token that supports multiple authentication protocols.
    • RSA SecurID: A well-known hardware token used for two-factor authentication.

    2. Software and Mobile Authentication:

    • Google Authenticator: A mobile app that generates time-based one-time passwords (TOTP) for two-factor authentication.
    • Microsoft Authenticator: Similar to Google’s offering, Microsoft’s app allows for secure MFA.

    3. Enterprise Solutions:

    • Duo Security: Offers various MFA options including push notifications, TOTP, phone callbacks, and hardware tokens.
    • Okta: A comprehensive identity management solution that provides strong MFA options.
    • Symantec VIP: Offers strong authentication with various authenticator options like mobile apps, SMS, and voice.

    4. Biometric Solutions:

    • Windows Hello: Utilizes facial recognition, fingerprints, or PINs to enable strong authentication.
    • Apple’s Face ID and Touch ID: Biometric solutions used in Apple devices.

    5. Smart Cards and USB Security Keys:

    • Smart Card Readers: Hardware devices that read smart cards used for authentication.
    • Feitian ePass: USB security keys that can be used for secure authentication.

    6. Virtual Private Networks (VPN) with MFA:

    • Cisco AnyConnect: Can be configured with MFA for secure remote access.
    • Fortinet FortiGate: Offers integrated MFA in its VPN solutions.

    7. Identity and Access Management (IAM) Platforms:

    • Azure Active Directory: Offers MFA as part of its identity services.
    • AWS Identity and Access Management (IAM): Includes MFA options for added security.

     

    RELEVANT INFORMATION:

    Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. [SP 800-63-3] provides guidance on digital identities.[24] Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic

    identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. [25] Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.