Navigate

IA-3(4)

IA-3(4): Device Attestation

The organization ensures that device identification and authentication based on attestation is handled by [organization-defined configuration management process].

Supplemental

Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to IA-3(4).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of IA-3(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-3(4).

CCI	Definition
CCI-001964	The organization defines the configuration management process that is to handle the device identification procedures.
CCI-001965	Defines the configuration management process that is to handle the device authentication procedures.
CCI-001966	Handle device identification based on attestation is handled by the organization-defined configuration management process.
CCI-001968	Defines the configuration management process that is to handle the device identification procedures.
CCI-001969	Handle device authentication based on attestation is handled by the organization-defined configuration management process.