In 2015, NIST introduced special publication (SP) 800-171. NIST kept the practice number of 3.5.2 through the first and second revisions. NIST SP 800-171 Revision 3 has changed this requirement's number to 03.05.02.
The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered this practice IA.1.077 then AC.L1-3.5.1 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.
As of December 2023, CMMC 2.1 created two numbers for this practice:
CMMC Level 1 uses the label IA.L1-B.1.VI. Section b(vi) references the Federal Acquisition Regulation (FAR) clause 52.204-21.
CMMC Level 2 uses the label IA.L2-3.5.2. IA identifies the identification and authentication domain. L2 identifies the applicability to CMMC Level 2. 3.5.2 references the original number from NIST SP 800-171 Rev 2 (3.5.2).
Practice Statement
NIST derived SP 800-171 basic security requirements from FIPS 200. Below is the original language from FIPS 200:
NIST provides assessment procedures for the security requirements within SP 800-171A. These procedures apply assessment methods to assessment objects. The three methods include examining artifacts, interviewing personnel, and testing mechanisms. The assessor evaluates each part to produce a finding. A “satisfied” finding indicates an acceptable implementation. A finding of “other than satisfied” indicates one or more anomalies.
The assessment objectives for 3.5.2 contains three parts:
Appendix D within SP 800-171 maps requirements to controls from SP 800-53 Rev 4. This mapping relates 3.5.2 to IA-2, IA-3 and IA-5.
We mapped these three objectives to the closest SP 800-53A Rev 5 objectives. We used guidance from NIST IR 8477 to define the nature and strength of the relationships. The findings indicated that:
AC.L1-3.5.2(a) is a subset of IA-02[01] (strong relationship)
AC.L1-3.5.2(b) intersects with IA-02[02] (moderate relationship)
AC.L1-3.5.3(c) intersects with IA-03 (strong relationship)
The CMMC Assessment Guide includes supplemental guidance from SP 800-53 Rev 4 [IA-5].
Authenticator Management
The initial sentence removed several authenticator examples including tokens, biometrics, and PKI certificates. In their place, they added examples of cryptographic devices and one-time password devices.
The CMMC Assessment Guide also provides a practical guide for further discussion. This section simplifies the concept by including actionable steps:
Before you let a person or device access your system, verify their identity. Authentication is the process of verifying and identity. The most common way to verify an identity is using a username and hard-to-guess password.
Some devices ship with default usernames and passwords. For example, when you first log on to the device, the username is “admin” and the password is “admin”. You should immediately change the default password to a unique password you create. Default passwords may be well known to the public, easy to find in a search, or easy to guess. This may allow an unauthorized person to access your system.
The CMMC Assessment Guide also provides two examples:
You are in charge of purchasing. You know that some laptops come with a default username and password. You notify IT that all default passwords should be reset before deploying the laptop for use [a]. You ask IT to explain the importance of resetting default passwords. Your cybersecurity awareness training discusses how the internet makes them easy to discover.
Your company decides to use cloud services for email and other capabilities. You realize every user or device connecting to the cloud service must authenticate. You work with the cloud service provider to establish authentication protocols. The cloud services only allow connections for authenticated users and devices [a,c].
DoD Criticality
The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 5-point value to this practice. Failing this practice may lead to data exfiltration or exploitation of the network. CMMC section 170.21(ii) removes this practice's eligibility for a limited deficiency. This practice aligns with the basic cybersecurity safeguards requirements of 52.204-21.
(S) implemented by an information system through technical means
(O) implemented by an individual through nontechnical means
(O/S) implemented by an organization, system, or combination of the two
NIST defines the implementation of the corresponding SP 800-53 controls as:
IA-2 as (O/S) combination of technical and non-technical
IA-3 as (S) technical
IA-5 as (O/S) combination of technical and non-technical
The crosswalk suggests that 3.5.2 has both technical and administrative components. The Defense Contract Management Agency (DCMA) published guidance for assessing SP 800-171. The DCMA Guide identifies screen shares as the relevant evidence for parts (a), (b) and (c). We concluded all parts of this practice are technical.
You may have noticed the assessment objectives bear a strong resemblance to the last three parts of 3.1.1:
The access control domain focuses on authorization. Authorization refers to the act of granting access privileges. Authorization requires approval when granting privilege or access. Authenticating refers to the act of verifying the identity of a user, process, or device. This is a prerequisite for granting access to resources within an information system. Authentication is a technical mechanism supporting authorization policy decisions, rules and procedures.
Inheritance
You may inherit this practice. An external service provider may manage the mechanism for identification and authentication. The following three shared responsibility matrices show this as an inherited practice:
Shared responsibility matrices may not cover system components not managed by the provider.
Implementation
The Department of Defense categorizes 3.5.2 as a configuration. Part (a) requires a technical mechanism to authenticate users. Credential Service Providers (CSPs) are synonymous with identity providers (IDPs). This system component maintains a record of all authenticators associated with each identity. A CSP or IDP binds authenticators to subscriber accounts during enrollment. They may also associate acceptable subscriber-provided authenticators post-enrollment. NIST SP 800-63B discusses authentication and life cycle management.
Authenticator is something a claimant possesses (such as a key or password) to verify a claim.
Digital authentication is the process of determining authenticator validity.
Authentication is central to the process of associating a subscriber with their activity. Authentication verifies the claimant controls one or more authenticators associated with a subscriber. NIST SP 800-63b characterizes the authentication mechanisms using Authenticator Assurance Levels (AAL):
Authentication is central to the process of associating a subscriber with their activity. Authentication verifies the claimant controls one or more authenticators associated with a subscriber. NIST SP 800-63b characterizes authentication mechanism strength using Authenticator Assurance Levels (AAL):
Authenticator Assurance Level 1. (AAL1) provides some assurance the claimant controls an authenticator bound to the account. Level 1 requires either single-factor or multi-factor authentication. When using Level 1, NIST recommends employing the low baseline of controls from SP 800-53. Level 1 uses a wide range of secure authentication protocols:
Something you know
Memorized Secret is a password or PIN. NIST makes the following recommendations when using memorized secrets
Passwords chosen by the subscriber should include at least 8 characters.
Passwords should accommodate all printing ASCII characters and the space character.
Random-generated passwords or pins should include at least 6 characters.
Do not prompt users with hints to help recall memorized secrets.
Organizations should disallow a list of compromised values. This includes
Passwords obtained from previous breach corpora,
Dictionary words,
Repetitive or sequential characters
Context-specific words (name of the service, username, or their derivatives)
Organizations should offer guidance, such as a password-strength meter.
Use a rate-limiting mechanism to limit the number of failed attempts.
Do not impose composition rules (requiring mixtures of character types)
Do not mandate a periodic change of secrets
Force a password change if there is evidence of compromise of the authenticator.
Allow claimants to use “paste” functionality to enable the use of password managers.
Offer the option to display a secret - rather than asterisks - while entering it.
Use approved encryption and an authenticated protected channel to send secrets
Salt and hash the storage of memorized secrets
Use a suitable one-way key derivation function to store passwords
Look-Up Secret is a physical or electronic record that stores a set of secrets. For example, a string of characters printed on a card in table format. The claimant uses the authenticator to look up the appropriate secret(s). The claimant provides the secret in response to a prompt from the verifier.
Out-of-Band Devices are unique, addressable physical devices. The claimant possesses and controls the device. Secure communications from the claimant to the verifier occur over a distinct channel. This adds a secondary channel outside the primary channel initiating the authentication. The purpose is to bind authentication on both the primary and secondary channels.
Single-Factor One-Time Password (OTP) Devices generate OTPs using an embedded secret. The device displays the OTP that the claimant uses for transmission. For example, an OTP may display 6 characters at a time. OTP devices are like look-up secret authenticators but they use cryptographic means. OTPs contain two persistent values. The first is a symmetric key that persists for the device’s lifetime. A counter or time-based calculation generates a second unique value (nonce). OTP verifiers duplicate the process of generating the OTP used by the authenticator.
Multi-factor OTP Devices generate OTPs for use through a second authentication factor. Devices achieve the second-factor through an entry pad, biometric reader, or interface. Activation of a multi-factor OTP requires something you know or something you are.
Single-Factor Cryptographic Software is a cryptographic key stored on disk or soft media. Claimants are authentic by providing possession and control of the key. The authenticator output is generally some type of signed message.
Single-Factor Cryptographic Devices provide the authenticator output via an endpoint connection. They use embedded symmetric or asymmetric cryptographic keys. They do not need activation through a second factor of authentication.
Multi-Factor Cryptographic Software requires a second factor authentication to activate. These other factors may include something you know or something you are. A disk or some other “soft” media stores the cryptographic key. The claimant proves possession and control of the key to authenticate.
Multi-Factor Cryptographic Devices need activation through a second factor of authentication. These factors include something you know or something you are. Tamper-resistant hardware stores the cryptographic keys. The claimant proves possession and control of the key to authenticate.
Something you are
Use of Biometrics - NIST SP 800-63b only supports limited use of biometrics. The False Match Rate (FMR) does not provide confidence of the subscriber by itself. Biometric characteristics do not constitute secrets. They are obtainable online or by taking a picture of someone with or without their knowledge. NIST only recommends their use within multi-factor authentication with a physical authenticator.
Authenticator Assurance Level 2. (AAL2) provides high confidence that the claimant controls authenticators bound to the account. Level 2 requires proof of possession and control of two different authentication factors. This may include a multi-factor authenticator or a combination of two single-factor authenticators. NIST also recommends employing the moderate baseline of controls from SP 800-53.
AAL2 allows for the use of the following multi-factor authenticators:
Multi-Factor OTP Device
Multi-Factor Cryptographic Software
Multi-Factor Cryptographic Device
AAL2 allows for the use of a combination of the following single-factor authenticators:
Look-Up Secret
Out-of-Band Device
Single-Factor OTP Device
Single-Factor Cryptographic Software
Single-Factor Cryptographic Device
Authenticator Assurance Level 3. (AAL3) provides very high confidence the claimant controls authenticators bound to the account. Level 3 requires proof of possession of a key through a cryptographic protocol. Verification requires both a hardware-based authenticator and an impersonation-resistant authenticator. The same device may fulfill both of these requirements. The claimant proves possession and control of two distinct authentication factors. Both factors use secure authentication protocols. NIST also recommends employing the high baseline of controls from SP 800-53.
AAL3 allows for the combined use of the following authenticators:
Multi-Factor Cryptographic Device
Single-Factor Cryptographic Device used in conjunction with a Memorized Secret
Multi-Factor OTP device used in conjunction with a Single-Factor Cryptographic Device
Multi-Factor OTP device used in conjunction with Single-Factor Cryptographic Software
Single-Factor OTP Device used in conjunction with Multi-Factor Cryptographic Software
Single-Factor OTP Device used with Single-Factor Cryptographic Software and a Memorized Secret
Your system may not have processes acting on behalf of users (b). Processes acting on behalf of users are accounts that act like people but are not people. Processes include service accounts executing scripts, scheduled tasks or batch processes. These automated processes use non-interactive authentication.
Part (c) requires authentication of devices. Registering and domain-joining devices meet the requirements of identifying and authenticating devices. NIST SP 800-53 IA-3 references the following solutions to authenticate devices:
Institute of Electrical and Electronics (IEEE) 802.1x
Port-based network access control mechanism.
Authenticates connections to local area networks (LANs) or wireless local area networks (WLANs). There are three roles in 802.1x include
A supplicant is a device providing credentials to authenticate.
An authenticator is an access point requesting the credentials.
An authentication server centralized server validating credentials. Authentication of users, processes and devices is a preventative control. Forbes Advisor reported 68% of Americans changed passwords across accounts due to compromise. Social media and email accounts were the most common compromised passwords. Organizations should assume compromise of their users' passwords. Based on that assumption, they should plan for a layered defense. According to CISA, malicious cyber actors also continue to exploit default passwords. Understanding the NIST authentication guidelines helps better secure systems and sensitive data.
Extensible Authentication Protocol (EAP) is a framework of authentication methods.
IEEE 802.1x may use one of four main types of EAP
Lightweight EAP (LEAP)
Does not use digital certificates so it is easier to deploy
Mutual authentication between the supplicant and authentication server
Protects against rogue access points
Flexible Authentication via Secure Tunneling (FAST)
Does not use digital certificates so it is easier to deploy
Authenticator relays traffic between supplicant and authentication server
Mutual authentication between supplicant and authentication server
Creates a secure tunnel between supplication and authentication server
Generates Protected access credentials (PAC)
Requires a client on the supplicant
Protected EAP (PEAP)
Supplicant validates the digital certificate of the authentication server
Authentication server validates the supplicant’s authenticator
Protects against rogue access points
EAP Transport Layer Security [TLS]
Both the supplicant and authentication server have digital certificates
Both the supplicant and authentication verify each other’s certificates
Kerberos
Kerberos is a computer network authentication protocol.
Microsoft uses Kerberos for Azure Active Directory Domain Services (Azure AD DS)
Microsoft Entra ID uses one of the following protocols
OAuth 2.0,
OpenID Connect (OIDC), or
Security Assertion Markup Language (SAML)
Authentication occurs at both ends (client/service) of the communication
A Key Distribution Center (KDC) contains and acts as the mediator between the
Authentication server (AS) and
Ticket Granting Service (TGS)
Tickets are a local form of personal identification.
Each ticket belongs to realms that determine accessible services.
Upon successful authentication, the KDC generates a Ticket-Granting Ticket (TGT)
The KDC provides TGTs to the client, who provides them with desired services
Various services verify the TGT using the TGS within the KDC
The TGS establishes a session key shared by the server and client
You’ll need a mechanism to authenticate users, processes, and devices. An identity provider (IDP) is synonymous with a Credential Service Provider (CSP). Common examples include:
Microsoft Entra ID (for cloud-based identities),
Microsoft Active Directory Domain Services (for on-premise IT environments)
Microsoft Entra Domain Services (synchronizes on-premise and cloud-based identities)
Google Workspace
Microsoft Environment
Microsoft provides guidance in implementing this practice using Entra ID and Intune.
Secure authentication protocols grant access to the system and resources.
Any password or PIN must meet the standards outlined in NIST SP 800-63b.
IT will ensure that no system components or applications use default passwords.
IT will maintain a list of compromised passwords or pins and disallow their use.
IT will enforce a password or PIN change if there is evidence of compromise.
IT will salt and hash stored passwords or pins using approved cryptographic methods.
IT will ensure authorized service accounts only use secure authentication protocols.
IT will ensure authorized devices connect to the system using secure authentication protocols.
Continuous Monitoring Tasks
A continuous monitoring task verifies that controls produce their desired outcome(s). The practice 3.5.2 has three desired outcomes:
Authorized users authenticate to connect to the system
Processes acting on behalf of a user authenticate to connect to the system
Devices authenticate to connect to the system
Most organizations set and forget their configuration of authentication protocols. Performing the following activities may help verify the effectiveness of these controls:
Review Account Types to ensure appropriate use of temporary or emergency accounts.
Updating the system component inventory may verify authentication occurs only for authorized devices. As part of this process, staff may verify that there are no default authenticators.
Proposed Rev 3 Changes
NIST SP 800-171 Rev 3 aligns 03.05.02 with IA-03 from SP 800-53 Rev 5. Rev 3 incorporates the authentication of users and processes into 03.05.01. The focus of 03.05.02 now focuses on the identification and authorization of devices. There are still three parts to 03.05.02:
ODP[01] defines the unique devices requiring identification and authentication.
Part [01] identifies ODP[01] devices before establishing a system connection.
Part [02] authenticates ODP[01] devices before establishing a system connection.
The crosswalk below shows the mapping of these requirements back to related parts of 3.5.2 from Revision 2:
Most organizations rely on usernames and passwords to authenticate users. The password recommendations from NIST SP 800-63B apply to a broad audience. Organizations should consider using AAL2 or AAL3 standards to strengthen their authentication protocols. Using strong authentication protocols is foundational to protecting sensitive data from adversarial threats.
If 3.1.1 authorizes access to the system, 3.1.2 authorizes permissions within the system. The rules of chess, for example, limit the types of functions allowed for each piece...
Organizations should prevent the release of nonpublic information on systems accessible to the public. Systems accessible to the public include websites and social media...
Identifying accounts and devices is foundational to creating a secure and accountable system. Accounts may have assignments to people and non-person entities...
%201.png)
%201.png)
