Identity & Authentication.

Identifying users, authenticating them, MFA where it matters, and managing identifiers over time.

3.5.1 Prove Who You Are. IA.L1-3.5.1 · Identification Every user, service account, and device has a unique identifier. No anonymous access. 3 pts
L1 3.5.2 Verify Before Entry. IA.L1-3.5.2 · Authentication Before granting access, verify identity through credentials — passwords, tokens, certificates, biometrics. 1 pts
L1 3.5.3 MFA Everywhere. IA.L2-3.5.3 · Multifactor Authentication Multi-factor authentication for all privileged accounts and all remote non-privileged access. Cannot be on POA&M. 5 pts 3.5.4 Replay-Resistant Auth. IA.L2-3.5.4 · Replay-Resistant Authentication Authentication that can't be intercepted and replayed by an attacker. 1 pts 3.5.5 Don't Recycle Usernames. IA.L2-3.5.5 · Identifier Reuse Don't reuse a departed employee's username for a defined period. 1 pts 3.5.6 Disable Dormant Accounts. IA.L2-3.5.6 · Identifier Handling Accounts unused for a defined period are automatically disabled. 1 pts

Password complexity, reuse limits, transmission protections, and not echoing secrets on screen.

3.5.7 Password Rules. IA.L2-3.5.7 · Password Complexity Minimum length, complexity, and meaningful change requirements for passwords. 5 pts 3.5.8 No Password Recycling. IA.L2-3.5.8 · Password Reuse Users can't cycle back to previous passwords. Enforce at least 24-password history. 1 pts 3.5.9 Change Temp Passwords Immediately. IA.L2-3.5.9 · Temporary Passwords Temporary passwords must be changed on first login. No exceptions. 1 pts

Storing and transmitting authenticators in cryptographically protected form, with obscured feedback.

3.5.10 Never Store Passwords in Plain Text. IA.L2-3.5.10 · Cryptographically-Protected Passwords Passwords are cryptographically hashed when stored and encrypted when transmitted. Never plain text. 3 pts 3.5.11 Mask the Password Field. IA.L2-3.5.11 · Obscure Feedback Don't show passwords on screen as they're typed. Dots or asterisks. 1 pts