CMMC Domain Series: Identification And Authentication

Our manufacturing customers have told us they want to learn more about CMMC domains. Therefore, over the next few weeks, we will focus on domains, what to look out for, and best practices.

Today, we will dive into the Identification and Authentication domain. This domain, as the name suggests, centers identifying and authenticating users and processes before user access to technology. It covers the below controls:

Identifying and authenticating users

Access controls 3.5.1 and 3.5.2 require manufacturers to identify users and processes acting on behalf of users or devices.

Best practice: Assign unique usernames and identifiers to employees and workstations. Also, assign passwords to user accounts and systems.

Password complexity

Creating complex passwords is a product of access controls 3.5.7, 3.5.8, and 3.5.9, requiring passwords to be somewhat complex, guarding against password reuse, and allowing for temporary passwords during password changes.

Best practices: Ensure that your passwords include different cases, special characters, and numbers. Be sure to set limits on password reuse and time limits on temporary passwords.

Password Protection

Access controls 3.5.10 and 3.5.11 require obscuring your passwords. Popular systems such as Windows should have this ability to store passwords using “one-way hash.”

Best practices: Double-check that passwords entered into laptops, tablets, or smartphones are displayed in characters like dots instead of the actual password characters.

Multi-factor authentication

Multi-factor authentication (MFA) is access control 3.5.3. It requires manufacturers to have a second factor to authenticate. The most common second factor is a smartphone, but SMS pins, smart cards, and bio-metric fingerprints can also be used. Microsoft 365 accounts, Active Directory accounts, VPN connections, and SSH connections should all use MFA.

Best practice: Train employees to expect MFA for their technology. At a minimum, local admin accounts, cloud services, VPN connections, and SSH connections should all have MFA.

Replay-resistant authentication mechanisms

This is access control 3.5.4, which enables transport layer security (TLS) for system access.

Best practice: TLS is replay-resistant and uses several mechanisms to prevent replay attacks.

Rules regarding identifiers

Finally, access controls 3.5.5 and 3.5.6 are about preventing identifier reuse and identifier disablement. Previously assigned identifiers cannot be reassigned to new users, groups, roles, or devices. Reusing identities is accepted after a defined period.

Best practice: If an account is inactive or not logged in for an extended period, the best practice is to turn it off. Automation may be used to better manage this process for larger manufacturers with many accounts.