Title

The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). (Cat II impact)

Discussion

Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.

Check Content

Review the application documentation and interview the application administrator. If the application does not host non-organizational users, this requirement is not applicable. Review the application and verify authentication is enabled and required in order for users to access the application. Review the application user base and determine if all user accounts are documented and assigned to a unique individual. Review risk acceptance documentation to determine if there are specific accesses identified that do not require authentication. If the application does not identify and authenticate non-organizational users and there is no risk acceptance documentation approving the exception, this is a finding.

Fix Text

Configure the application to identify and authenticate all non-organizational users.

Additional Identifiers

Rule ID: SV-222556r879617_rule

Vulnerability ID: V-222556

Group Title: SRG-APP-000180

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.