IA-11

Requirement

Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

Discussion

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Identification and authentication policy; procedures addressing user and device re-authentication; system security plan; system design documentation; system configuration settings and associated documentation; list of circumstances or situations requiring re-authentication; system audit records; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities].

Test

[SELECT FROM: Mechanisms supporting and/or implementing identification and authentication capabilities].

ID	Assessment Objectives
IA-11	users are required to re-authenticate when <IA-11_ODP circumstances or situations>.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!