The IA control family is dedicated to establishing and overseeing user identities and verifying their access to information systems. It encompasses measures to guarantee that both individuals and devices undergo proper identification and authentication before gaining entry to sensitive information and systems. This security control is subject to stringent regulation in the FedRAMP HIGH compliance framework, requiring additional deployments of identity providers to meet the specified security controls.
The components and objectives of the IA control family extend across various sections of the FedRAMP framework:
- Identification (ID): Ensuring the unique identification of users and devices within the system.
- Authentication (AU): Verifying the identity of users and devices using diverse methods such as passwords, smart cards, biometrics, etc.
- Access Control (AC): Implementing mechanisms to control and restrict access based on authenticated identities and the principle of least privilege.
- Accountability (AC): Establishing processes to trace and monitor user activities, providing a means to audit and investigate security incidents.
- Session Management (SM): Managing and controlling user sessions to prevent unauthorized access and ensure proper session termination.
These controls collectively contribute to upholding the confidentiality, integrity, and availability of information within a system, ensuring that only authorized individuals or devices can access sensitive resources. The IA control family plays a crucial role in overall information security, aiding organizations in safeguarding against unauthorized access, identity theft, and various other security threats.
I will be focusing on these security controls in today’s article
- IA-2(11) – Incorporated to IA-2(6)
- IA-5
- IA-5(3)
Challenges of Hard Token MFA and how to remediate
A “hard token” in Multi-Factor Authentication (MFA) is a physical device, enhancing login security. It differs from “soft tokens,” being software-based. Common hard tokens include key fobs, smart cards, USB tokens, and biometric tokens, generating codes users enter with their credentials. This adds an extra layer of security, requiring a physical token in addition to a password. Hard tokens provide added protection, requiring both something known (password) and something possessed (physical token), but users must ensure the token’s security.
Here are some common types of hard tokens for MFA:
- Key Fobs: Small, portable devices that generate time-based or event-based codes.
- Smart Cards: Credit card-sized cards embedded with a chip that can generate or store authentication information.
- USB Tokens: Physical devices that connect to a computer’s USB port and generate or store authentication credentials.
- Biometric Tokens: Some hard tokens may incorporate biometric features, such as fingerprint scanners, for additional security.
Definition of Security Control
| Control Identifier | Control (or Control Enhancement) Name | Control Text | Discussion | Related Controls |
IA-2(6)
| IA-2 (6) | Identification and Authentication (organizational Users) | Access to Accounts —separate Device | Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]. |
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process. | AC-6. |
IA -5
| IA-5 | Authenticator Management | Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. |
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. |
AC-3, AC-6, CM-6, IA-2, IA-4, IA-7, IA-8, IA-9, MA-4, PE-2, PL-4, SC-12, SC-13. |
IA-5(3)
| IA-5 (3) | Authenticator Management | In-person or Trusted External Party Registration | [Withdrawn: Incorporated into IA-12 (4).] |
Remediation
There’s multiple method’s and multiple technologies, but from our experience, we’ve used Yubikey’s with a number of IDP technologies.
Yubico’s recommended solution is SecureAuth IDP which you can find more details about the solution here: https://www.yubico.com/works-with-yubikey/catalog/secureauth/
From our experience, we’ve used both of these methods found here:
Authlite / Yubikey / Active Directory: https://www.yubico.com/works-with-yubikey/catalog/authlite/
KeyCloak / Yubikey / Active Directory: https://www.keycloak.org/docs/latest/server_admin/
Explaining the methods in detail can be challenging, but it’s essential to grasp the topology before setting it up. We suggest referring to and understanding the information provided at this URL: https://support.yubico.com/hc/en-us/articles/7464901246236-Phishing-Resistant-Authentication-for-On-Premises-with-Active-Directory-and-Active-Directory-Federated-Services-using-Smart-cards
As technologies evolve regularly, these recommendations will remain available online. We encourage you to conduct thorough research on deployments that best meets your infrastructure. But guidelines and technological requirements you require to meet the security controls are laid out. Have a happy deployment!!
By using RiskGuardian360 AI features, it’ll provide further clarity and detailed instructions.
Consider incorporating RiskGuardian360 into your FedRAMP compliance strategy, especially for its AI feature. This tool excels in simplifying complex security controls requirements, providing clear step-by-step instructions along with detailed explanations and practical examples. By leveraging RiskGuardian360, you gain a user-friendly approach to comprehending and implementing security measures, ensuring a more effective and understandable application of security protocols.
Share This Article
Other Articles that may be of interest:
How can I help?
With over 2+ decades of experience in the field of IT and compliance, I have successfully overseen multiple FedRAMP certifications and a dozen ATOs within the realms of the DOJ and DOD.
“Chue is a brilliant technologist who is a SME for everything with InfoSec and Federal Government Compliance. He is incredibly diligent, hard-working and is able to easily discuss complicated technical matters with both experts and beginners. His can-do, humble attitude made it a distinct pleasure to work with and learn from him.”
Other endorsements…
“Working with Chue has been an honor. He’s incredibly knowledgeable and always travels out of his way to offer assistance and guidance. He made sure our systems were completely secure and gave us the peace of mind to focus on our responsibilities without worry of interruption.
Outside of a work capacity, Chue has been a positive and motivating force and he has a keen ability to instill trust.”
Experts who understands the Federal landscape
Imagine a world where organizations enthusiastically embrace cutting-edge AI technology, harnessing its power to gain profound insights into high-risk scenarios and propelling themselves toward their core business objectives with confidence!
Here at FabricLake, we take the charge in revolutionizing federal compliance solutions! We’ve masterfully entwined the power of artificial intelligence into the very essence of our compliance processes. This astute integration doesn’t just optimize workflows; it paves the way for seamless task management and issue resolution, all while upholding the highest industry standards. In the heart of our Federal Compliance division, AI has seamlessly woven itself into the fabric of our operations, giving birth to RiskGuardian360 – a specialized application that unleashes the full potential of AI to steer us towards our compliance objectives with unwavering determination. Join us in embracing this cutting-edge technology and watch your compliance needs transform into opportunities for excellence!
