IA.L1-B.1.VI
Authentication

FCI Data

Security Requirement

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Authentication is a condition of access. Section 2.3 notes that all university devices must implement access controls. Shared credentials are explicitly prohibited.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-03 - Users, processes, and devices are authenticated before access is granted.
  • Protect (PR): PR.AA-06 - Authentication mechanisms are managed and periodically reviewed.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List how user identity is verified before access is granted to the system (e.g., password, MFA).
  • List how service accounts or automated processes are authenticated before performing system functions.
  • List how devices are authenticated before accessing systems that process FCI.
  • List any additional procedures or technologies in place to ensure access is only granted to verified identities.

Document How

  • the identity of each user is authenticated or verified as a prerequisite to system access
  • the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access
  • the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access

Example

quote block

All users must authenticate using their USU-issued A# via Entra ID (Azure AD), which enforces password complexity. MFA is required for all SSO-enabled services. Devices must be USU-managed and compliant with institutional endpoint protection policies. Service accounts use secure, randomly generated credentials and are not shared between individuals. Default passwords are changed prior to system deployment.

quote block

Entra ID (Azure AD) & Active Directory

What it does:
  • Provides centralized identity and access management for users and devices.
How it helps a researcher:
  • Research staff are assigned unique A#-based user accounts managed through Entra ID and USU Active Directory. Access to research systems, files, and software can be granted only to specific users or groups using security groups, preventing anonymous access.
Example:
  • Access to project files can be restricted to only accounts which are members of the USU-FCI-ProjectAlpha group.

Microsoft Authenticator (MFA)

What it does:
  • Provides multi-factor authentication integrated with Entra ID, requiring a second verification factor during login.
How it helps a researcher:
  • Protects digital identities and research data by reducing the risk of credential theft and unauthorized access, especially for off-campus access to services like Box, Office 365, or VPN.
Example:
  • A researcher signing in to Box.com or VPN is prompted to approve the sign-in via a push notification from the Microsoft Authenticator app, preventing access even if the password is compromised.

Web SSO

What it does:
  • Allows users to authenticate once using their USU A# credentials and access multiple connected services without re-authenticating.
How it helps a researcher:
  • Provides secure, streamlined access to research tools while enforcing consistent authentication controls and reducing password fatigue.
Example:
  • A researcher logs into Outlook with their A# and password, approves the MFA prompt, and gains access to OneDrive, Teams, and Box without re-entering credentials.

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints, enforce security policies, deploy updates, and maintain compliance.
How it helps a researcher:
  • Ensures research devices are secured and compliant, automating tasks like patching, antivirus enforcement, and encryption across Windows and macOS systems.
Example:
  • A macOS laptop in a research lab is managed through Jamf, receiving updates, enforcing FileVault encryption, and restricting unapproved software. Non-compliant devices are flagged and restricted from accessing sensitive systems.

Institutional VPN Solution

What it does:
  • Provides encrypted remote access to USU’s internal network and restricts access to university-managed devices.
How it helps a researcher:
  • Ensures only approved USU accounts and compliant devices can access internal systems containing FCI, with encrypted data-in-transit for off-campus users.
Example:
  • A researcher connects via VPN using a USU-issued laptop. The system verifies endpoint protection and updates before granting access to the lab network.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review authentication policies, MFA configurations, login workflows, and password policy settings.
  • Interview:
    • Ask administrators how authentication is enforced for users, service accounts, and devices.
  • Test:
    • Attempt to log in with a test account lacking MFA or attempt access from an unmanaged device.

Objects (examples of items you could present to the auditor)

  • Authentication Policy: Describes required methods and enforcement mechanisms.
  • MFA Enrollment Records: Showing users are enrolled in an MFA solution.
  • Service Account Logs: Showing when and how automated processes authenticate.
  • Device Trust Configurations: Screenshots of settings ensuring only compliant devices are allowed.
  • Password Policy Settings: Exported or documented policy requiring strong passwords and changes.
  • Default Credential Controls: Evidence of procedures for changing factory/default passwords.