Deep Dive into Changes to the Identification and Authentication Family in FedRAMP Revision 5

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Identification and Authentication control family that the new baselines bring.

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational level, mission or business process level, or system level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement to update policies and procedures after specified events A change to generalize the types of access for privileged accounts requirement multifactor authentication
• An addition of a new parameter selecting privileged and/or non-privileged accounts that are required to have replay-resistant authentication mechanisms for network access
• Removal of a control step requires the disableing of an identifier after a specified period of inactivity
• An addition of a new requirement to maintain a list of commonly used, expected, or compromised passwords and update the list at a specified frequency and when organizational passwords are suspected to have been compromised directly or indirectly
• An addition of a new requirement to verify, when users create or update passwords, that the passwords are not found on the list of commonly-usedcommonly used, expected, or compromised passwords
• An addition of a new requirement to transmit passwords only over cryptographically-protected channels
• An addition of a new requirement to store passwords using an approved salted key derivation function
• An addition of a new requirement to immediately select a new password upon account recovery
• An addition of a new requirement to allow user selection of long passwords and passphrases, including spaces and all printable characters An addition of a new requirement to employ automated tools to assist users in selecting strong passwords
• A change of acceptance criteria for external authenticators (third party credentials) to be NIST compliant as opposed to FICAM approved

Considerable Changes to the Moderate and High baselines include:

• An addition of new parameters implementing multifactor authentication for local network, remote access, privileged accounts, and non-privileged accounts; so that one of the factors is provided by a device separate from the system gaining access
• Removal of a parameter requiring changing default content of authenticators prior to information system installation
• An addition of a parameter requiring defining specific events that require changing or refreshing authenticators
• An addition of a new control requiring that users are identify proofed for logical access based on identify assurance level requirements
• An addition of a new control requiring evidence of individual identification to be presented to the registration authority in order to reduce the likelihood of individuals using fraudulent identification to establish an identity
• An addition of a new control requiring a registration code or notice of proofing be delivered through an out-of-band channel to verify the user’s address (physical or digital) of record

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp