NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(6)Protection of Authenticators

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process.

Practitioner Notes

This enhancement requires protecting authenticators commensurate with the sensitivity of the information they protect — high-value secrets need high-value protection.

Example 1: Store service account passwords and API keys in a secrets vault like Azure Key Vault, HashiCorp Vault, or CyberArk rather than in scripts or config files.

Example 2: Require hardware security modules (HSMs) or hardware tokens for authenticators protecting your most sensitive systems (domain admin accounts, PKI root keys).

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts