CMMC IA.1.076 – Identify Authorized Users, Processes and Devices

CMMC IA.1.076 – Identify Authorized Users, Processes and Devices

Requirement text: 
IA.1.076: Identify information system users, processes acting on behalf of users, or devices.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Common device identifiers include media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. NIST SP 800-63-3 provides guidance on digital identities.

CMMC CLARIFICATION

Authentication helps you to know who is using or viewing your system. Make sure to assign individual, unique identifiers, like user names, to all employees/users who access company systems. Confirm the identities of users, processes, or devices before allowing them access to the company’s information system-usually done through passwords.

Example
You lead a project with the Department of Defense (DoD) for your small company and want to make sure that all employees working on the project can log on to the company system to see important information about the project. You also want to prevent employees who are not working on the DoD project from being able to access the information. You set up the system so that when an employee logs on, the system uniquely identifies each person, then determines the appropriate level of access.

Get Audit Ready

How to pass? Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them.

How to fail? Multiple people know the password for your computer, which has the credentials for your bank stored in the web browser. One day, funds are stolen from your bank account. When you review the logs, it says that your account did it. It is impossible to determine who stole the funds.

References
• FAR Clause 52.204-21 b.1.v
• NIST SP 800-171 Rev 1 3.5.1
• CIS Controls v7.1 4.2, 4.3, 16.8, 16.9
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• CERT RMM v1.2 ID:SG1.SP1
• NIST SP 800-53 Rev 4 IA-2, IA-3, IA-5

    • Related Articles

    • CMMC IA.1.077 – Verify Users, Processes and Devices

      Requirement text:  IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Individual ...

    • Identification and Authentication: SP 800-171 Security Family 3.5

       For most systems, identification and authentication is often the first line of defense. Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. ...

    • CMMC AC.5.024 - Identify Unauthorized Access Points

      Requirement text: AC.5.024: Identify and mitigate risk associated with unidentified wireless access points connected to the network. DISCUSSION FROM SOURCE: CMMC Unidentified and unauthorized wireless access points can be connected to a network by ...

    • CMMC SI.2.217 - Identify Unauthorized Use of Systems

      Requirement text: SI.2.217: Identify unauthorized use of organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of ...

    • CMMC IA.3.085 - Prevent Reuse of System Identifiers

      Requirement text: IA.3.085: Prevent the reuse of identifiers for a defined period. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Identifiers are provided for users, processes acting on behalf of users, or devices (IA.1.076). Preventing reuse of ...