CMMC Identification and Authentication Worksheet
[Pages:6]CMMC Assessment
CMMC Identification and Authentication Worksheet
CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way.
Prepared for: Client Company Prepared by: YourIT Company
Table of Contents
CMMC Identification and Authentication Worksheet CMMC ASSESSMENT
1 - C015 - Grant access to authenticated entities
1.1 - User Accounts - CMMC Ctrl: IA.1.076 - Identify information system users, processes acting on behalf of users, or devices. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.1)
1.2 - Identify Users - CMMC Ctrl: IA.1.077 - Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.2)
1.3 - Password Complexity - CMMC Ctrl: IA.2.078 - Enforce a minimum password complexity and change of characters when new passwords are created. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.7)
1.4 - Password Reuse - CMMC Ctrl: IA.2.079 - Prohibit password reuse for a specified number of generations. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.8)
1.5 - Temporary Password Use - CMMC Ctrl: IA.2.080 - Allow temporary password use for system logons with an immediate change to a permanent password. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.9)
1.6 - Password Encryption - CMMC Ctrl: IA.2.081 - Store and transmit only cryptographicallyprotected passwords. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.10)
1.7 - Obscure Authentication Feedback - CMMC Ctrl: IA.2.082 - Obscure feedback of authentication information. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.11)
1.8 - Authentication - CMMC Ctrl: IA.3.083 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.3)
1.9 - Replay Resistant Mechanisms - CMMC Ctrl: IA.3.084 - Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.4)
1.10 - Identify Management - CMMC Ctrl: IA.3.085 - Prevent the reuse of identifiers for a defined period. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.5)
1.11 - Identify Management - CMMC Ctrl: IA.3.086 - Disable identifiers after a defined period of inactivity. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.6)
PROPRIETARY & CONFIDENTIAL
Page 2 of 6
CMMC Identification and Authentication Worksheet CMMC ASSESSMENT
1 - C015 - Grant access to authenticated entities
1.1 - User Accounts - CMMC Ctrl: IA.1.076 - Identify information system users, processes acting on behalf of users, or devices. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.1)
Does the company have a mechanism in place to identify information system users, processes acting on behalf of users, or devices?
Yes
Attachments
-09032020 CM for CMMC - CMMC Identification and Authentication Worksheet Include Responses.docx
Follow-up to 1.1 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.2 - Identify Users - CMMC Ctrl: IA.1.077 - Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.2)
Does the company employ mechanisms to authenticate or verify identities of users, processes, or devices, as a prerequisite to allowing access to the information system?
Yes
Follow-up to 1.2 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.3 - Password Complexity - CMMC Ctrl: IA.2.078 - Enforce a minimum password complexity and change of characters when new passwords are created. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.7)
Does the company employ a mechanism to enforce minimum password complexity and change of characters when new passwords are created?
Yes
Follow-up to 1.3 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this
PROPRIETARY & CONFIDENTIAL
Page 3 of 6
CMMC Identification and Authentication Worksheet CMMC ASSESSMENT
security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.4 - Password Reuse - CMMC Ctrl: IA.2.079 - Prohibit password reuse for a specified number of generations. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.8)
Does the company employ the use of a password history policy or some other mechanism to prohibit password reuse for a specified number of generations?
Yes
Follow-up to 1.4 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.5 - Temporary Password Use - CMMC Ctrl: IA.2.080 - Allow temporary password use for system logons with an immediate change to a permanent password. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.9)
Does the company employ a mechanism that issues temporary passwords with an immediate change to a permanent password?
Yes
Follow-up to 1.5 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.6 - Password Encryption - CMMC Ctrl: IA.2.081 - Store and transmit only cryptographicallyprotected passwords. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.10)
Are passwords prevented from being stored or transmitted in reversible encryption form in any company systems?
Yes
Follow-up to 1.6 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented the process, mechanism, and controls necessary to meet this
PROPRIETARY & CONFIDENTIAL
Page 4 of 6
CMMC Identification and Authentication Worksheet CMMC ASSESSMENT
security requirement. 1) Reference the attached policies and procedures associated with this security requirement. 2) See attached records illustrating that the policies and procedures have been institutionalized. 3) View the attached overview of the technical examination practices used to verify that this security requirement is implemented. 4) See attached results of the last technical examination undertaken.
1.7 - Obscure Authentication Feedback - CMMC Ctrl: IA.2.082 - Obscure feedback of authentication information. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.11)
Do the authentication mechanisms obscure feedback of authentication information during the authentication process?
No
1.8 - Authentication - CMMC Ctrl: IA.3.083 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.3)
Does the company use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts?
Yes
Follow-up to 1.8 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security.
Follow-up to 1.8 if you answered Yes above - Which users are required to use MFA?
Remote and privileged users only
1.9 - Replay Resistant Mechanisms - CMMC Ctrl: IA.3.084 - Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.4)
Does the company employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts?
Yes
Follow-up to 1.9 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
The organization has implemented replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.
1.10 - Identify Management - CMMC Ctrl: IA.3.085 - Prevent the reuse of identifiers for a defined period. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.5)
PROPRIETARY & CONFIDENTIAL
Page 5 of 6
CMMC Identification and Authentication Worksheet CMMC ASSESSMENT
Does the company prevent the reuse of identifiers for a defined period?
Yes
Follow-up to 1.10 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
1.11 - Identify Management - CMMC Ctrl: IA.3.086 - Disable identifiers after a defined period of inactivity. (NIST 800-171 Rev. 2 Ctrl Ref: 3.5.6)
Does the company disable identifiers after a defined period of inactivity?
Yes
Follow-up to 1.11 if you answered Yes above - Describe the mechanism implemented to meet this control requirement.
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. The organization regularly performs tests to identify inactive identifiers and disables the identifiers.
PROPRIETARY & CONFIDENTIAL
Page 6 of 6
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- digital identity guidelines nist
- installation and configuration worksheet for aqualogic
- password cheat sheet abby lawson
- printable password keeper smartsheet inc
- worksheet to help you prepare your will mylawbc
- mitchell 1 shopkey management solutions learn
- dod s policies procedures and practices for information
- risk management guide for information technology systems
- cmmc identification and authentication worksheet
Related searches
- then and than worksheet quiz
- photosynthesis and respiration worksheet answers
- photosynthesis and respiration worksheet pdf
- photosynthesis and respiration worksheet key
- dna and rna worksheet answer key
- dna and rna worksheet answers
- photosynthesis and respiration worksheet answer key
- adjectives and adverbs worksheet pdf
- adverbs and adjectives worksheet answers
- 8.1 energy and life worksheet answer key
- singular and plural worksheet pdf
- morals and values worksheet pdf