NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(13)Expiration of Cached Authenticators

Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable.

Practitioner Notes

This enhancement requires that cached authenticators expire after a defined period — you should not be able to log in with cached credentials indefinitely.

Example 1: Configure Group Policy to limit the number of cached logons on Windows laptops to no more than 2 (or as your policy dictates) and require network re-authentication within 24 hours.

Example 2: Set Azure AD token lifetime policies to limit refresh token lifetimes so users must re-authenticate with MFA at least every 24 hours, even on trusted devices.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts