Navigate

IA-7

IA-7: Cryptographic Module Authentication

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

Supplemental

Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
DAF Baseline, Privacy (high), Privacy (moderate)

CSF Categories
PR.AC-1

Related Controls

The controls below (if any) were marked by NIST as being related to IA-7.

Control	Description
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
IA-5	Manage system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b: Establishing initial authenticator content for any authenticators issued by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e: Changing default authenticators prior to first use; f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur; g: Protecting authenticator content from unauthorized disclosure and modification; h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i: Changing authenticators for group or role accounts when membership to those accounts changes.
SA-4	Include the following requirements, descriptions, and criteria, explicitly or by reference, using [one or more of "standardized contract language"/"{{ insert: param, sa-04_odp.02 }} "] in the acquisition contract for the system, system component, or system service: a: Security and privacy functional requirements; b: Strength of mechanism requirements; c: Security and privacy assurance requirements; d: Controls needed to satisfy the security and privacy requirements. e: Security and privacy documentation requirements; f: Requirements for protecting security and privacy documentation; g: Description of the system development environment and environment in which the system is intended to operate; h: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i: Acceptance criteria.
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].
SC-13	a: Determine the [cryptographic uses are defined;] ; and b: Implement the following types of cryptography required for each specified cryptographic use: [types of cryptography for each specified cryptographic use are defined;].

Enhancements

The controls below (if any) add on to the requirements of IA-7.

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-7.

CCI	Definition
CCI-000803	Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.