Skip to main content

IAC-10: Authenticator Management

IAC 10 — Critical Protect

Mechanisms exist to: (1) Securely manage authenticators for users and devices; and (2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.

Control Question: Does the organization: (1) Securely manage authenticators for users and devices; and (2) Ensure the strength of authentication is appropriate to the classification of the data being accessed?

General (51)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1
CIS CSC 8.1 5.2
CIS CSC 8.1 IG1 5.2
CIS CSC 8.1 IG2 5.2
CIS CSC 8.1 IG3 5.2
CSA CCM 4 IAM-02 IAM-14 IAM-15
CSA IoT SCF 2 IAM-18 IAM-21 IAM-22
GovRAMP Core IA-05(01)
GovRAMP Low IA-05(01)
GovRAMP Low+ IA-05(01)
GovRAMP Moderate IA-05(01)
GovRAMP High IA-05(01)
IEC 62443-4-2 2019 CR 1.5 (5.7.1)
IMO Maritime Cyber Risk Management 3.5.3.1 3.5.3.2
ISO 27002 2022 5.17 5.18
ISO 27017 2015 9.2.4 9.4.3
MITRE ATT&CK 10 T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1021, T1021.001, T1021.004, T1040, T1072, T1078, T1078.002, T1078.004, T1098.001, T1098.002, T1098.003, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1111, T1114, T1114.002, T1133, T1136, T1136.001, T1136.002, T1136.003, T1528, T1530, T1539, T1550.003, T1552, T1552.001, T1552.002, T1552.004, T1552.006, T1555, T1555.001, T1555.002, T1555.004, T1555.005, T1556, T1556.001, T1556.003, T1556.004, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1563.001, T1599, T1599.001, T1601, T1601.001, T1601.002
NIST 800-53 R4 IA-5 IA-5(4)
NIST 800-53 R4 (low) IA-5
NIST 800-53 R4 (moderate) IA-5
NIST 800-53 R4 (high) IA-5
NIST 800-53 R5 (source) IA-5 IA-5(1)
NIST 800-53B R5 (low) (source) IA-5 IA-5(1)
NIST 800-53B R5 (moderate) (source) IA-5 IA-5(1)
NIST 800-53B R5 (high) (source) IA-5 IA-5(1)
NIST 800-82 R3 LOW OT Overlay IA-5 IA-5(1)
NIST 800-82 R3 MODERATE OT Overlay IA-5 IA-5(1)
NIST 800-82 R3 HIGH OT Overlay IA-5 IA-5(1)
NIST 800-161 R1 IA-5
NIST 800-161 R1 C-SCRM Baseline IA-5
NIST 800-161 R1 Flow Down IA-5
NIST 800-161 R1 Level 2 IA-5
NIST 800-161 R1 Level 3 IA-5
NIST 800-171 R2 (source) 3.5.8 3.5.9
NIST 800-171A (source) 3.5.8[a] 3.5.8[b] 3.5.9
NIST 800-171 R3 (source) 03.05.07.a 03.05.07.b 03.05.07.c 03.05.07.d 03.05.07.e 03.05.07.f 03.05.12.a 03.05.12.b 03.05.12.c 03.05.12.d 03.05.12.e 03.05.12.f
NIST 800-171A R3 (source) A.03.05.12.ODP[01] A.03.05.12.ODP[02] A.03.05.12.a A.03.05.12.b A.03.05.12.c[01] A.03.05.12.c[02] A.03.05.12.c[03] A.03.05.12.c[04] A.03.05.12.c[05] A.03.05.12.c[06] A.03.05.12.d A.03.05.12.e A.03.05.12.f[01] A.03.05.12.f[02]
PCI DSS 4.0.1 (source) 8.2.4 8.3 8.3.1 8.3.10.1 8.3.11 8.3.3 8.3.5 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ A (source) 8.3.1 8.3.5 8.3.7 8.3.9
PCI DSS 4.0.1 SAQ A-EP (source) 8.2.4 8.3.1 8.3.3 8.3.5 8.3.7 8.3.9 8.3.11 8.6.3
PCI DSS 4.0.1 SAQ C (source) 8.2.4 8.3.1 8.3.3 8.3.5 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ C-VT (source) 8.2.4 8.3.1
PCI DSS 4.0.1 SAQ D Merchant (source) 8.2.4 8.3.1 8.3.3 8.3.5 8.3.7 8.3.9 8.3.11 8.6.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.2.4 8.3.1 8.3.3 8.3.5 8.3.7 8.3.9 8.3.10.1 8.3.11 8.6.3
SWIFT CSF 2023 4.1 5.4
UL 2900-1 2017 8.3
SCF CORE Fundamentals IAC-10
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-10
SCF CORE ESP Level 1 Foundational IAC-10
SCF CORE ESP Level 2 Critical Infrastructure IAC-10
SCF CORE ESP Level 3 Advanced Threats IAC-10
US (35)
Framework Mapping Values
US C2M2 2.1 ACCESS-1.B.MIL1
US CERT RMM 1.2 TM:SG4.SP1
US CISA CPG 2022 2.B 2.L
US CJIS Security Policy 5.9.3 (source) IA-5 IA-5(1)
US CMMC 2.0 Level 2 (source) IA.L2-3.5.8 IA.L2-3.5.9
US CMMC 2.0 Level 3 (source) IA.L2-3.5.8 IA.L2-3.5.9
US CMS MARS-E 2.0 IA-5
US DoD Zero Trust Execution Roadmap 1.8.2
US DHS CISA TIC 3.0 3.PEP.ID.SMANA
US FDA 21 CFR Part 11 11.300 11.300(a) 11.300(b) 11.300(c) 11.300(d) 11.300(e)
US FedRAMP R4 IA-5 IA-5(4)
US FedRAMP R4 (low) IA-5
US FedRAMP R4 (moderate) IA-5 IA-5(4)
US FedRAMP R4 (high) IA-5 IA-5(4)
US FedRAMP R4 (LI-SaaS) IA-5
US FedRAMP R5 (source) IA-5
US FedRAMP R5 (low) (source) IA-5
US FedRAMP R5 (moderate) (source) IA-5
US FedRAMP R5 (high) (source) IA-5
US FedRAMP R5 (LI-SaaS) (source) IA-5
US HIPAA HICP Medium Practice 3.M.C
US HIPAA HICP Large Practice 3.M.C
US IRS 1075 IA-5 IA-5(1)
US NERC CIP 2024 (source) CIP-007-6 5.6
US NISPOM 2020 8-607
US NNPI (unclass) 7.1
US SSA EIESR 8.0 5.3
US TSA / DHS 1580/82-2022-01 III.C.1.a
US - CA CCPA 2025 7123(c)(1)(B)
US - MA 201 CMR 17.00 17.04(1)(b) 17.04(1)(c) 17.04(1)(d) 17.04(1)(e) 17.04(2)(b)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.7(b)
US - TX DIR Control Standards 2.0 IA-5
US - TX TX-RAMP Level 1 IA-5
US - TX TX-RAMP Level 2 IA-5
US - VT Act 171 of 2018 2447(c)(1)(A)(ii)
EMEA (11)
Framework Mapping Values
EMEA EU NIS2 Annex 11.6.2(a) 11.7.2
EMEA EU PSD2 4
EMEA Germany C5 2020 IDM-08
EMEA Israel CDMO 1.0 4.35 12.15 12.16
EMEA Saudi Arabia CSCC-1 2019 2-2-1-6
EMEA Saudi Arabia IoT CGIoT-1 2024 2-2-2
EMEA Saudi Arabia ECC-1 2018 2-2-3-1
EMEA Saudi Arabia OTCC-1 2022 2-2-1-8
EMEA Saudi Arabia SACS-002 TPC-3
EMEA Spain CCN-STIC 825 7.2.5 [OP.ACC.5]
EMEA UK Cyber Essentials 2
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1227 ISM-1593 ISM-1594 ISM-1595
APAC India SEBI CSCRF PR.AA.S6
APAC Japan ISMAP 9.2.4 9.2.4.9.PB 9.4.3
APAC New Zealand NZISM 3.6 14.3.13.C.01 14.3.13.C.02 14.3.13.C.03 16.1.40.C.01 16.1.40.C.02 16.1.41.C.01 16.1.41.C.02 16.1.41.C.03 16.1.41.C.04 16.1.42.C.01
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.05.07.A 03.05.07.B 03.05.07.C 03.05.07.D 03.05.07.E 03.05.07.F 03.05.12.A 03.05.12.B 03.05.12.C 03.05.12.D 03.05.12.E 03.05.12.F

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to: (1) Securely manage authenticators for users and devices; and (2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • Administrative processes and technologies enforce password complexity to ensure strong passwords.
  • Administrative processes and technologies ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
  • Administrative processes and technologies enforce password complexity to ensure strong passwords.
  • Administrative processes and technologies ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
Level 4 — Quantitatively Controlled

Identification & Authentication (IAC) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Identification & Authentication (IAC) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. IAC-10_A01 the number of generations during which a password cannot be reused is specified.
  2. IAC-10_A02 reuse of passwords is prohibited during the specified number of generations.
  3. IAC-10_A03 an immediate change to a permanent password is required when a temporary password is used for system logon.
  4. IAC-10_A04 the frequency for changing or refreshing authenticators is defined.
  5. IAC-10_A05 events that trigger the change or refreshment of authenticators are defined.
  6. IAC-10_A06 the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution is verified.
  7. IAC-10_A07 initial authenticator content for any authenticators issued by the organization is established.
  8. IAC-10_A08 system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use.
  9. IAC-10_A09 system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution. lost, compromised or damaged authenticators. and the revocation of authenticators.
  10. IAC-10_A10 default authenticators are changed at first use.
  11. IAC-10_A11 authenticators are changed or refreshed per an organization-defined frequency or when organization-defined events occur.
  12. IAC-10_A12 system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification.
  13. IAC-10_A13 system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators.
  14. IAC-10_A14 system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators.
  15. IAC-10_A15 system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
  16. IAC-10_A16 the frequency at which to update the list of commonly used, expected or compromised passwords is defined.
  17. IAC-10_A17 authenticator composition and complexity rules are defined.
  18. IAC-10_A18 administrative procedures for initial authenticator distribution are established.
  19. IAC-10_A19 administrative procedures for lost, compromised, or damaged authenticators are established.
  20. IAC-10_A20 administrative procedures for revoking authenticators are established.
  21. IAC-10_A21 administrative procedures for initial authenticator distribution are implemented.
  22. IAC-10_A22 administrative procedures for lost, compromised, or damaged authenticators are implemented.
  23. IAC-10_A23 administrative procedures for revoking authenticators are implemented.
  24. IAC-10_A24 authenticator content is protected from unauthorized disclosure.
  25. IAC-10_A25 authenticators are changed or refreshed <A.03.05.12.ODP[01]: frequency> or when the following events occur: <A.03.05.12.ODP[02]: events>.
  26. IAC-10_A26 authenticator content is protected from unauthorized disclosure.
  27. IAC-10_A27 authenticator content is protected from unauthorized modification.

Technology Recommendations

Micro/Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Medium

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Large

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Enterprise

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free