IA-5(8)

Requirement

Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.

Discussion

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4) and access agreements (see PS-6) to mitigate the risk of multiple system accounts.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; list of individuals having accounts on multiple systems; list of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test

[SELECT FROM: Mechanisms supporting and/or implementing safeguards for authenticator management].

ID	Assessment Objectives
IA-05(08)	<IA-05(08)_ODP security controls> are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!