Identification & Authentication
Identification & Authentication is the identity layer. Before anyone can access anything, they must prove who they are — and the system must verify that proof.
The Three Themes
Section titled “The Three Themes”Identity Foundation (3.5.1–3.5.2) — Unique identifiers for every user, process, and device. Authenticate before granting access.
MFA & Password Strength (3.5.3–3.5.5) — Multifactor authentication for all access. Replay-resistant mechanisms. Minimum password complexity.
Account Hygiene (3.5.6–3.5.11) — Disable dormant accounts, enforce password complexity and reuse rules, store passwords securely, use temporary passwords only for one-time use, and obscure authentication feedback.
All 11 Requirements
Section titled “All 11 Requirements”| Ref | Short Name | What It Covers |
|---|---|---|
| 3.5.1 | Prove Who You Are | Unique identity for every user, process, and device |
| 3.5.2 | Verify Before Entry | Authenticate identity before granting access |
| 3.5.3 | MFA for All | Multifactor authentication — not POA&M eligible |
| 3.5.4 | Replay-Resistant | Authentication mechanisms that can’t be replayed |
| 3.5.5 | Strong Passwords Only | Minimum complexity and length requirements |
| 3.5.6 | Disable Dormant Accounts | Inactive accounts disabled automatically |
| 3.5.7 | Password Complexity | Enforce complexity and change requirements |
| 3.5.8 | No Password Reuse | Prevent reuse of recent passwords |
| 3.5.9 | Temporary Passwords | One-time use, changed at first login |
| 3.5.10 | Store Passwords Safely | Salted, hashed, never plaintext |
| 3.5.11 | Hide the Typing | Obscure authentication feedback on screen |