CMMC Identification and Authentication

CMMC Identification and Authentication is one of the 17 CMMC domains and serve as a stepping stone to later practices within CMMC. This blog covers main information related to the domain practices.

Introduction to CMMC Identification and Authentication Domain

This article touches upon one of the domains within CMMC: Identification and Authentication.  

Identification and Authentication (IA) will serve as a stepping stone to later practices within CMMC. It is important to understand and implement the requirements within this domain as it will help to solidify security and accountability within your organization.  

We will be exploring Identification and Authentication in the following manner:  

What are CMMC Identification and Authentication?  

The main focus of the Identification and Authentication domain is on identifying users, processes, or devices and authenticating their identity and their access to organizational information systems.  

For CMMC 2.0, there are two practices in CMMC Level 1 for Identification and Authentication and nine practices in CMMC Level 2. For CMMC Level 3, the IA practices are not finalized yet. Here is a breakdown of the concepts discussed in these practices:  

Identification  

Various users and processes will need to access and use your organizational information systems daily. Ensuring that each entity is identifiable is important, as that will allow you to track their activity and level of access in your system. You have to assign unique identifiers for users (usernames) and processes that access any system within your organization. Any devices authorized to access your network should also have a unique identifier so you are aware of every device connected to your network. Identifiers can be simple, such as a set of alphanumeric characters.  

Authentication  

After identifying entities, the next step is to authenticate/verify the identities of those entities. This must be done before allowing access to any system within your organization. Authentication can be done through a variety of methods, whether it be passwords, key cards, or cryptographic devices. Your organization should also set requirements and restrictions for these authentication methods, such as a certain password policy, a certain number of attempts for any cryptographic devices, and timers/expiration policy on one-time-use passwords or access. You can add to authentication efficiency by enforcing multi-factor authentication, especially for local and network access to privileged accounts and remote access to non-privileged accounts. Authentication management is the final thing to be aware of, including adding or revoking access as needed for entities.  

Identifier Reuse and Handling  

As aforementioned, identifiers are important in establishing the identity of an entity. Your organization must set guidelines and requirements to prevent the reuse of identifiers and implement mechanisms to enforce these requirements. It is also important to handle your existing identifiers, especially ones not being used. These should be disabled with a set time defined for when an identifier is disabled, and all identifiers should be subject to this to ensure safety and security for your organization.  

Password Complexity and Reuse  

Passwords are one of the most important forms of authentication for individuals and one of the most basic. Organizations should define and enforce a minimum password complexity (e.g. minimum of 12 characters containing a combination of upper case, lower case, number, and special characters). Password reuse is equally important, as you should not allow individuals to reuse passwords for a defined period. Set a policy within your organization for passwords to be changed in a certain amount of time. All passwords should be cryptographically protected using a one-way function for any storage and transmission, as it is the most efficient way to ensure they are not compromised.  

Obscurity  

For any authentication information, devices and entities maintain a certain level of obscurity to protect information. The obscurity level depends on certain factors, such as a large monitor will not require the same amount as a mobile device. Some methods for obscuring feedback can include hiding passwords while they are being entered through asterisks or hiding other information after a short display time. You could also hide information by default and allow the user to display it if needed. It is up to your organization to determine the policies behind obscuring the feedback.  

How do you enforce Identification and Authentication in your organization?  

The requirements within this domain will help identify all users, processes, and devices within your organization. You will be able to authenticate these entities further and determine their access to your systems. If you meet these requirements, you will be well within your CMMC journey.  

For CMMC Level 1, your organization will have to perform a self-assessment for the two practices in the Identification and Authentication domain. For CMMC Level 2, your organization will have to look further into the other nine practices and provide proper implementation and documentation. Here is some guidance on what to include or look for:  

  • Identification and Authentication policy
  • Procedures addressing user identification and authentication
  • List of system accounts
  • List of system authentication types
  • System audit logs and records
  • System Security Plan (SSP)
  • System Design documentation
  • System Configuration settings  

 

How do you comply with CMMC Identification and Authentication requirements?    

Identification and Authentication is an important domain within CMMC that is required to be implemented by your organization. The self-assessment of a CMMC practice and the assessment performed by a Certified Assessor result in one of three possible findings: 'MET', 'NOT MET', or 'NOT APPLICABLE'.    

Self-Assessment of CMMC Level-1 Practices  

To demonstrate CMMC Level 1 compliance, the contractor will need to perform a self-assessment based on the CMMC 2.0 Level 1 Self-Assessment Guide and will need a finding of 'MET' or 'NOT APPLICABLE' on all the 17 Level-1 practices, including Identification and Authentication.  

Assessment of CMMC Level 2 and Level 3  

To demonstrate CMMC Level 2 or 3 compliance, the contractor will need to undergo a C3PAO or a Government audit and find 'MET' or 'NOT APPLICABLE' on all the 110 practices of Level-2. A contractor can achieve a CMMC certification for an entire enterprise network, for a particular segment(s), or a specific enclave, depending upon the scope of CMMC assessment.    

For CMMC Level, a finding of 'NOT MET' means you are not compliant.  

About InterSec CMMC Compliance Advisory and Consulting Services

InterSec Inc's cmmc advisory, consulting, and Cybersecurity Services have helped many defense contractors in industries ranging from Professional Services, Health, and Manufacturing to comply with NIST 800-171, CMMC, FedRAMP, HITECH compliance, etc.). InterSec is a CMMC-AB RPO. Our Registered Practitioners and Certified Assessors team can help you cost-effective compliance. 

You may have security measures to address the CMMC requirements, but if you're doubtful about how do they stack up to the latest CMMC 2.0 standards and certification expectations, our free CMMC self-assessment can help you find out your CMMC posture. Complying with these Identification and Authorization (IA) practices means you're one step closer to the next domain, and, to your CMMC compliance.  

If you need help with CMMC compliance, you can schedule a 30-minute free consultation with our experts.