Back to Control Explorer
IA.1.076
Content
Control Acronym
IA
Family
Identification And Authentication
CMMC Level
1
800-171 Control #
3.5.1
CMMC Description
Identify information system users, processes acting on behalf of users, or devices.
CMMC Clarification
Authentication helps you to know who is using or viewing your system. Make sure to assign individual, unique identifiers, like user names, to all employees/users who access company systems. Confirm the identities of users, processes, or devices before allowing them access to the company’s information system-usually done through passwords. Example You lead a project with the Department of Defense (DoD) for your small company and want to make sure that all employees working on the project can log on to the company system to see important information about the project. You also want to prevent employees who are not working on the DoD project from being able to access the information. You set up the system so that when an employee logs on, the system uniquely identifies each person, then determines the appropriate level of access.
800-171 Description
Identify system users, processes acting on behalf of users, and devices.
800-171 Discussion
Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device.[SP 800-63-3] provides guidance on digital identities.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 4.2, 4.3, 16.8, 16.9
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 IA-2, IA-3, IA-5
CMMC Derived
NIST CSF Control References
NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
NIST 800-171 References
NIST SP 800-171 Rev 1 3.5.1
Applicable FAR Clause
FAR Clause 52.204-21 b.1.v
NIST CSF Control Reference
CERT RMM Reference
CERT RMM v1.2 ID:SG1.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
IA.1.076.[a] system users are identified;
Assessment Sub-Criteria 2
IA.1.076.[b] processes acting on behalf of users are identified; and
Assessment Sub-Criteria 3
IA.1.076.[c] devices accessing the system are identified.