For a PRIVILEGED user, even local access (e.g., to the standalone) requires MFA. Typically, organizational desktops are used for network access and so the user has to use MFA to access their network account.
However, if used to connect to a LAN, the network access has to be MFA. For a NON-PRIVILEGED user, if it’s a standalone computer (e.g., a laptop computer), with no network access, the access can be via single factor authentication (SFA) - MFA is not required.Network Access means access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).Local Access means access to an organizational system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.
Where you are, even in a controlled access facility, is not one of these factors and, generally, would be a condition that applied to many and not unique to the individual being authenticated.
#NIST COMSOL 5.3 PASSWORD#
#NIST COMSOL 5.3 FULL#
I'm just gonna leave the full DoD implementation guidance here: a Kerberos ticket or one-time password/token) which expires quickly, and is extremely difficult to harvest and re-use.Ī device, in the hands of an unknown individual, and using a harvestable credential with a lifespan measured in days, is not a trustworthy, replay-resistant authentication factor. The authenticator must only be valid within a limited window of time (i.e. That belongs to the device you'll need to bring your own authentication factor.Īuthentication must be replay-resistant. I would also say that anything that a device has (MAC ID, serial, IP address, Kerberos ticket, cached credentials) isn't something you have. Just because an admin must authenticate against your domain (in order to join a device to the domain) doesn't permanently imbue the joined device with an eternal status of "authenticated." If anything, the device would be "authorized" and little else. NIST SP 800-37 Rev 1: This document describes the NIST Risk Management Framework. 4: A compliance assessment guide for 800-53. For organizations adopting the NIST Risk Management Framework (800-37), this document is relevant. While 800-171 takes a lot from from 800-53, the controls in 800-53 are not required for 800-171 compliance. Summary: The parent document of 800-171, this is the far more detailed SP that governs federal information systems (not contractor).
NIST SP 800-171A: A Compliance Assessment Guide that gives an idea of what auditors are looking for. NIST HB 162: A Self Assessment Handbook that asks pertinent questions and provides insight. This is the primary publication you will see discussed here. Summary: As required by DFARS, defense contractors are required to become compliant with the controls of NIST SP 800-171. r/CMMC THE SPECIAL PUBLICATIONS NIST SP 800-171 A reddit community for navigating the complicated world of NIST Publications and Controls.
0 kommentar(er)
