N
|
controlIA-5

Authenticator Management (IA-5)

Manage system authenticators by:

Security Baselines

LOWMODERATEHIGH
identificationauthenticationidentity

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports39

These related controls work together — a change to one may affect the others.

Mitigates7

This control helps defend against or reduce the risk of the linked threat technique.

Enhances18

These enhancements add specific capabilities or refinements to the base control.

Related Controls(24)

AC-2Account Management (AC-2)
LMH
AC-3Access Enforcement (AC-3)
LMH
AC-5Separation of Duties (AC-5)
MH
AC-7Unsuccessful Logon Attempts (AC-7)
LMH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)
LMH
AU-7Audit Record Reduction and Report Generation (AU-7)
MH
CA-7Continuous Monitoring (CA-7)
LMH
CM-6Configuration Settings (CM-6)
LMH
IA-2Identification and Authentication (Organizational Users) (IA-2)
LMH
IA-3Device Identification and Authentication (IA-3)
MH
IA-4Identifier Management (IA-4)
LMH
AC-6Least Privilege (AC-6)
MH
IA-7Cryptographic Module Authentication (IA-7)
LMH
IA-8Identification and Authentication (Non-organizational Users) (IA-8)
LMH
IA-9Service Identification and Authentication (IA-9)MA-4Nonlocal Maintenance (MA-4)
LMH
PE-2Physical Access Authorizations (PE-2)
LMH
PL-4Rules of Behavior (PL-4)
LMH
SC-12Cryptographic Key Establishment and Management (SC-12)
LMH
SC-13Cryptographic Protection (SC-13)
LMH
IA-12Identity Proofing (IA-12)
MH
PM-31Continuous Monitoring Strategy (PM-31)SC-17Public Key Infrastructure Certificates (SC-17)
MH
SC-37Out-of-band Channels (SC-37)

Threat Coverage(7 ATT&CK techniques)

T1133External Remote ServicesT1078Valid AccountsT1110Brute ForceT1003OS Credential DumpingT1528Steal Application Access TokenT1558Steal or Forge Kerberos TicketsT1021Remote Services

Control Enhancements(18)

IA-5(1)Password-based Authentication (IA-5(1))
LMH
IA-5(2)Public Key-based Authentication (IA-5(2))
MH
IA-5(3)In-person or Trusted External Party Registration (IA-5(3))W
IA-5(4)Automated Support for Password Strength Determination (IA-5(4))W
IA-5(5)Change Authenticators Prior to Delivery (IA-5(5))
IA-5(6)Protection of Authenticators (IA-5(6))
MH
IA-5(7)No Embedded Unencrypted Static Authenticators (IA-5(7))
IA-5(8)Multiple System Accounts (IA-5(8))
IA-5(9)Federated Credential Management (IA-5(9))
IA-5(10)Dynamic Credential Binding (IA-5(10))
IA-5(11)Hardware Token-based Authentication (IA-5(11))W
IA-5(12)Biometric Authentication Performance (IA-5(12))
IA-5(13)Expiration of Cached Authenticators (IA-5(13))
IA-5(14)Managing Content of PKI Trust Stores (IA-5(14))
IA-5(15)GSA-approved Products and Services (IA-5(15))
IA-5(16)In-person or Trusted External Party Authenticator Issuance (IA-5(16))
IA-5(17)Presentation Attack Detection for Biometric Authenticators (IA-5(17))
IA-5(18)Password Managers (IA-5(18))

See Also

@SP 800-53 OverviewCompare Baselines