Skip to content

IA-5: Authenticator Management

An OSCAL Control

Statement

    • Manage system authenticators by:

      • a.

        Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

      • b.

        Establishing initial authenticator content for any authenticators issued by the organization;

      • c.

        Ensuring that authenticators have sufficient strength of mechanism for their intended use;

      • d.

        Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

      • e.

        Changing default authenticators prior to first use;

      • f.

        Changing or refreshing authenticators or when occur;

      • g.

        Protecting authenticator content from unauthorized disclosure and modification;

      • h.

        Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

      • i.

        Changing authenticators for group or role accounts when membership to those accounts changes.

        • Requirement:

          Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

        • Guidance:

          SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).