Back to Control Families

Identification and Authentication

11 controls in this family. Select a control for detailed guidance, implementation examples, and assessment questions.

3.5.1

Identify system users, processes acting on behalf of users, and devices.

3.5.2

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

3.5.3

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.[24] [25].

3.5.4

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

3.5.5

Prevent reuse of identifiers for a defined period.

3.5.6

Disable identifiers after a defined period of inactivity.

3.5.7

Enforce a minimum password complexity and change of characters when new passwords are created.

3.5.8

Prohibit password reuse for a specified number of generations.

3.5.9

Allow temporary password use for system logons with an immediate change to a permanent password.

3.5.10

Store and transmit only cryptographically-protected passwords.

3.5.11

Obscure feedback of authentication information

Need Complete CMMC Guidance?

Get full access to all controls, detailed implementation guidance, and expert support.

Request Full Access