CMMC 2.0 • LEVEL 1 • IDENTIFICATION & AUTHENTICATION

IA.L1-3.5.2Device Identification and Authentication

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control .MAC, Transmission Control Protocol/Internet Protocol .TCP/IP addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers .IEEE 802.1x and Extensible Authentication Protocol .EAP, RADIUS server with EAP-Transport Layer Security .TLS authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Public Key Infrastructure (PKI) and certificate revocation checking for the certificates exchanged can be included as part of device authentication.

NIST 800-171 Mapping

NIST 800-53 Controls

IA-2IA-5

Assessment Objectives

  • multi-factor authentication (MFA) for all users; PIV/CAC preferred; MFA mandatory for privileged users and all remote accessCMMC/STIG are authenticated before establishing a system connection.
  • multi-factor authentication (MFA) for all users; PIV/CAC preferred; MFA mandatory for privileged users and all remote accessCMMC/STIG are uniquely identified before establishing a system connection.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

IA.L1-3.5.1 User Identification and Authentication IA.L2-3.5.3 Multi-Factor Authentication IA.L2-3.5.4 Replay-Resistant Authentication IA.L2-3.5.5 Identifier Management