N
|
controlIA-2

Identification and Authentication (Organizational Users) (IA-2)

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Security Baselines

LOWMODERATEHIGH
identificationauthenticationidentity

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports38

These related controls work together — a change to one may affect the others.

Mitigates7

This control helps defend against or reduce the risk of the linked threat technique.

Enhances13

These enhancements add specific capabilities or refinements to the base control.

Related Controls(25)

AC-2Account Management (AC-2)
LMH
AC-3Access Enforcement (AC-3)
LMH
AC-5Separation of Duties (AC-5)
MH
AC-14Permitted Actions Without Identification or Authentication (AC-14)
LMH
AC-17Remote Access (AC-17)
LMH
AC-18Wireless Access (AC-18)
LMH
AC-19Access Control for Mobile Devices (AC-19)
LMH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)
LMH
AC-4Information Flow Enforcement (AC-4)
MH
AU-1Policy and Procedures (AU-1)
LMH
IA-4Identifier Management (IA-4)
LMH
IA-5Authenticator Management (IA-5)
LMH
IA-8Identification and Authentication (Non-organizational Users) (IA-8)
LMH
IA-13Identity Providers and Authorization Servers (IA-13)MA-4Nonlocal Maintenance (MA-4)
LMH
MA-5Maintenance Personnel (MA-5)
LMH
PE-2Physical Access Authorizations (PE-2)
LMH
PL-4Rules of Behavior (PL-4)
LMH
SA-4Acquisition Process (SA-4)
LMH
SA-8Security and Privacy Engineering Principles (SA-8)
LMH
IA-10Adaptive Authentication (IA-10)IA-11Re-authentication (IA-11)
LMH
IA-12Identity Proofing (IA-12)
MH
SC-37Out-of-band Channels (SC-37)SC-45System Time Synchronization (SC-45)

Threat Coverage(7 ATT&CK techniques)

T1133External Remote ServicesT1078Valid AccountsT1136Create AccountT1110Brute ForceT1528Steal Application Access TokenT1558Steal or Forge Kerberos TicketsT1021Remote Services

Control Enhancements(13)

IA-2(1)Multi-factor Authentication to Privileged Accounts (IA-2(1))
LMH
IA-2(2)Multi-factor Authentication to Non-privileged Accounts (IA-2(2))
LMH
IA-2(3)Local Access to Privileged Accounts (IA-2(3))W
IA-2(4)Local Access to Non-privileged Accounts (IA-2(4))W
IA-2(5)Individual Authentication with Group Authentication (IA-2(5))
H
IA-2(6)Access to Accounts —separate Device (IA-2(6))
IA-2(7)Network Access to Non-privileged Accounts — Separate Device (IA-2(7))W
IA-2(8)Access to Accounts — Replay Resistant (IA-2(8))
LMH
IA-2(9)Network Access to Non-privileged Accounts — Replay Resistant (IA-2(9))W
IA-2(10)Single Sign-on (IA-2(10))
IA-2(11)Remote Access — Separate Device (IA-2(11))W
IA-2(12)Acceptance of PIV Credentials (IA-2(12))
LMH
IA-2(13)Out-of-band Authentication (IA-2(13))

See Also

@SP 800-53 OverviewCompare Baselines