Navigate

IA-11

IA-11: Re-authentication

Require users to re-authenticate when [circumstances or situations requiring re-authentication are defined;].

Supplemental

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, DAF Baseline

CSF Categories
PR.AC-1, PR.AC-7

Related Controls

The controls below (if any) were marked by NIST as being related to IA-11.

Control	Description
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-11	a: Prevent further access to the system by [one or more of "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity"/"requiring the user to initiate a device lock before leaving the system unattended"] ; and b: Retain the device lock until the user reestablishes access using established identification and authentication procedures.
IA-2	Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-3	Uniquely identify and authenticate [devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;] before establishing a [one or more of "local"/"remote"/"network"] connection.
IA-4	Manage system identifiers by: a: Receiving authorization from [personnel or roles from whom authorization must be received to assign an identifier are defined;] to assign an individual, group, role, service, or device identifier; b: Selecting an identifier that identifies an individual, group, role, service, or device; c: Assigning the identifier to the intended individual, group, role, service, or device; and d: Preventing reuse of identifiers for [a time period for preventing reuse of identifiers is defined;].
IA-8	Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Enhancements

The controls below (if any) add on to the requirements of IA-11.

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-11.

CCI	Definition
CCI-002036	Defines the circumstances or situations under which users will be required to reauthenticate.
CCI-002038	The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.