Skip to content

IA-2: Identification and Authentication (Organizational Users)

An OSCAL Control

Statement

    • Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

        • Requirement:

          For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

        • Requirement:

          Multi-factor authentication must be phishing-resistant.

        • Guidance:

          "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

        • Guidance:

          All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.