Authenticate users, processes, and devices before granting access
Knowing who someone claims to be is not enough: you must verify that claim before granting access. Authentication requires users, processes, and devices to prove their identity using something they know (password), something they have (authenticator app, hardware token), or something they are (biometric). For systems handling FCI, password-only authentication is increasingly insufficient. Multi-factor authentication significantly reduces account takeover risk even if passwords are stolen.
Implementation steps
- 1
Implement and enforce strong password requirements
Configure a password policy that requires a minimum length of at least 12 characters, prohibits commonly used passwords, and does not force frequent mandatory rotation (which encourages weak passwords). Enable account lockout after repeated failed attempts to defend against brute force attacks.
active-directory okta azure-ad - 2
Deploy multi-factor authentication
Enable MFA for all user accounts that can access FCI systems, prioritizing remote access, administrator accounts, and email (since email is often used for password reset). Use authenticator apps or hardware tokens rather than SMS where possible, as SMS is vulnerable to SIM-swapping attacks.
okta duo microsoft-authenticator yubikey azure-ad - 3
Authenticate service accounts and automated processes
Service accounts should authenticate using long randomly generated credentials or, where supported, certificate-based authentication or managed identities rather than human-memorable passwords. Store service account credentials in a secrets manager rather than in configuration files or source code.
hashicorp-vault aws-secrets-manager azure-key-vault cyberark - 4
Require device authentication for remote access
Configure remote access (VPN, zero-trust access) to verify device identity alongside user identity. Require devices to be enrolled in MDM and meet compliance criteria (updated OS, managed security software) before access is granted to FCI.
intune jamf zscaler cloudflare-access
Evidence required
Password policy configuration
Evidence of a password policy meeting minimum complexity and length requirements.
- - Active Directory fine-grained password policy settings
- - Identity provider password policy screenshot
MFA enrollment evidence
Evidence that MFA is enabled and enforced for accounts accessing FCI.
- - MFA enrollment report showing coverage percentage
- - Conditional access policy requiring MFA
- - Okta MFA policy configuration
Secrets management configuration
Evidence that service account credentials are stored securely and not hardcoded.
- - Secrets manager configuration screenshot
- - Code scan showing no hardcoded credentials
Related controls
Identify all users, processes, and devices that access systems
Identification
Limit system access to authorized users, processes, and devices
Authorized Access
Limit system access to permitted transactions and functions
Authorized Access
Verify and control connections to external information systems
External Connections