CMMC v2.0 - Identification and Authentication

Controls mapping and traceability diagram. Created by Tara Lemieux and Michael Redman, Schellman Compliance.

Get Started. It's Free
or sign up with your email address
CMMC v2.0 - Identification and Authentication by Mind Map: CMMC v2.0 - Identification and Authentication

1. IA.L2-3.5.6 Disable identifiers after a defined period of inactivity.

1.1. "Determine if:

1.2. (a) a period of inactivity after which an identifier is disabled is defined"

1.3. (b) identifiers are disabled after the defined period of inactivity"

2. IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.

2.1. "Determine if:

2.2. (a) password complexity requirements are defined"

2.3. (b) password change of character requirements are defined

2.4. (c) minimum password complexity requirements as defined are enforced when new passwords are created

2.5. (d) minimum password change of character requirements as defined are enforced when new passwords are created

3. IA.L2-3.5.8 Prohibit password reuse for a specified number of generations.

3.1. "Determine if:

3.2. (a) the number of generations during which a password cannot be reused is specified"

3.3. (b) reuse of passwords is prohibited during the specified number of generations

4. IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.

4.1. "Determine if:

4.2. (a) an immediate change to a permanent password is required when a temporary password is used for system logon"

5. IA.L2-3.5.10 Store and transmit only cryptographically-protected passwords.

5.1. "Determine if:

5.2. (a) passwords are cryptographically protected in storage"

5.3. (b) passwords are cryptographically protected in transit

6. IA.L1-3.5.1 Identify system users, processes acting on behalf of users, or devices.

6.1. "Determine if:

6.1.1. IA.L1-3.5.1 provides a vetted and trusted identity that supports the accesscontrol mechanism required by AC.L1-3.1.1.

6.2. (a) system users are identified"

6.3. (b) processes acting on behalf of users are identified

6.4. (c) devices accessing the system are identified

7. IA.L1-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

7.1. "Determine if:

7.2. (a) the identity of each user is authenticated or verified as a prerequisite to system access"

7.3. (b) the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access

7.4. (c) the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access

8. IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

8.1. "Determine if:

8.1.1. AC.L2-3.1.12 requires the control of remote access sessions.

8.1.2. AC.L2-3.1.14 limits remote access to specific access control points

8.1.3. AC.L2-3.1.15 requires authorization for privileged commands executed during a remote.

8.1.4. MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.

8.1.5. AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions

8.2. (a) privileged accounts are identified"

8.3. (b) multifactor authentication is implemented for local access to privileged accounts

8.4. (c) multifactor authentication is implemented for network access to privileged accounts

8.5. (d) multifactor authentication is implemented for network access to non-privileged accounts

9. IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts

9.1. "Determine if:

9.2. (a) replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts"

10. IA.L2-3.5.5 Prevent reuse of identifiers for a defined period.

10.1. "Determine if:

10.2. (a) a period within which identifiers cannot be reused is defined"

10.3. (b) reuse of identifiers is prevented within the defined period

11. IA.L2-3.5.11 Obscure feedback of authentication information.

11.1. "Determine if:

11.2. (a) authentication information is obscured during the authentication process"