IA-3(1)

Requirement

Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.

Discussion

A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk.

Title

Device Identification and Authentication | Cryptographic Bidirectional Authentication
Family

Identification and Authentication
NIST 800-53B Baseline(s)

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Identification and authentication policy; system security plan; procedures addressing device identification and authentication; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system configuration settings and associated documentation; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers].

Test

[SELECT FROM: Mechanisms supporting and/or implementing device authentication capability; cryptographically based bidirectional authentication mechanisms].

ID	Assessment Objectives
IA-03(01)	<IA-03(01)_ODP[01] devices and/or types of devices> are authenticated before establishing <IA-03(01)_ODP[02] SELECTED PARAMETER VALUES> connection using bidirectional authentication that is cryptographically based.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!