Level 1


Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.  Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.  [SP 800-63-3] provides guidance on digital identities. 

Priority: High 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Certificate Manager, AWS Directory Service, AWS Single Sign-On 

Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure AD B2C
  • Azure Multi-Factor Authentication (MFA)
  • Azure AD Privileged Identity Management (PIM)
  • Azure Key Vault
  • Azure AD Managed Identities
  • Azure AD Certificate-based authentication
  • Azure Information Protection
  • Azure Security Center

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered:

Are the accounts in use assigned and managed by the company’s central management system? Are accounts uniquely assigned to new employees, contractors, or subcontractors upon hire? Are initial passwords given to new hires reset upon first use? Are all passwords at least 2 characters with uppercase, lowercase, letters, numbers, and special characters?


Checks for AWS

  • Authenticate User, Process, and Device Identities
    Description: This check ensures that organizational systems implement authentication mechanisms to verify the identities of users, processes, and devices before granting access. Authentication methods may include passwords, key cards, cryptographic devices, and one-time password devices. Organizations establish and enforce authentication policies, such as minimum password length and validation time window for one-time tokens, to ensure secure authentication practices. It is important to avoid using default authentication credentials, as they are often easily discoverable and pose a significant security risk. System components should not ship with factory default authentication credentials, and organizations should change the initial authenticator content upon installation. Authenticator management includes issuing and revoking authenticators, as well as managing temporary access for remote maintenance. Device authenticators, such as certificates and passwords, are also considered in the authentication process.

Checks for Azure

  • Enforce Multi-Factor Authentication (MFA) for User Accounts
    Description: This check ensures that multi-factor authentication (MFA) is enforced for user accounts in Azure. MFA adds an extra layer of security by requiring users to provide additional verification factors, such as a mobile app code or biometric authentication, in addition to their password.
  • Implement Password Policies for User Accounts
    Description: This check verifies that organizations have implemented password policies for user accounts in Azure. Password policies define requirements such as minimum password length, complexity, and expiration to enforce strong and secure password practices.
  • Manage and Rotate Authentication Credentials
    Description: This check emphasizes the importance of managing and rotating authentication credentials, such as certificates and passwords, in Azure. Organizations should ensure that authentication credentials are assigned, managed, and revoked through central management systems. Additionally, default authentication credentials should be changed upon installation to prevent the use of well-known and easily discoverable credentials.
  • Regularly Review and Remove Unused Accounts and Credentials
    Description: This check highlights the need to regularly review and remove unused accounts and credentials in Azure. Accounts and credentials that are no longer needed, such as those associated with former employees or contractors, should be deactivated or deleted promptly to minimize the risk of unauthorized access.

More Details:  Users must authenticate with unique credentials prior to accessing systems containing CUI.