Identification and Authentication is often the front-line defense of system security and is used to protect the system from unauthorized access.


3.5.1Identify system users, processes acting on behalf of users, and devices
3.5.2Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organization systems.
3.5.5Prevent reuse of identifiers for a defined period.
3.5.6Disable identifiers after a defined period of inactivity.

User accounts for covered contractor systems need to have unique identifiers in order to be able to verify the user logging onto the system.  Examples of identifiers would be the user’s first name, first initial + last name, or first name + last name. Unique identifiers are also essential for the traceability of actions made on the system. Identifiers are then linked to established group policies and permissions for processes and devices. 

When a user enters his or her unique identifier, the system also needs a way to verify that the user is, in fact, who they claim to be.  The most common way to achieve this is to require not only a unique identifier but also a password.  We will talk more about passwords below for controls 3.5.7 through 3.5.9.

User login identifiers are usually user names assigned to individuals.  Systems should be configured to not allow re-use of an identifier for a pre-defined period of time, to prevent confusion and to maintain a consistent audit and accountability process.

Inactive user accounts or identifiers create a vulnerability in a system.  Systems should be configured to disable identifiers after a pre-defined period of inactivity, such as a year, or even just a month, depending on the type of information stored and processed on the system.

Multi-Factor Authentication

3.5.3Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts

For systems processing or storing sensitive information, Multi-Factor Authentication (“MFA”) adds an extra level of security because it requires the user to provide two or more verification factors to log onto the system.  In addition to a user name and password, measures such as tokens or biometric readings can be added for automated recognition.

MFA is often used by companies allowing remote access via a Virtual Private Network (“VPN”). 

Replay Resistance

3.5.4Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

NIST defines replay resistance as “protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access”.

Replay-resistant authentication basically prevents a malicious actor from eavesdropping on network traffic (often called a man in the middle attack) or impersonating an authorized user by recording or otherwise capturing his or her login information. 

Techniques include authentication end-point protocols using NONCES (number once used, random or pseudo-random numbers) or challenge responses, such as “what was the name of your first pet”. 

Password Management

3.5.7Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8Prohibit password reuse for a specified number of generations.
3.5.9Allow temporary password use for system logons with an immediate change to a permanent password.
3.5.11Obscure feedback of authentication information.

The use of strong passwords is vital for protecting an organization’s sensitive information.  Recommended protocol for strong passwords is a minimum of 12 characters, including numbers, letters, and symbols.  Unique passphrases are recommended because they tend to be longer and more complex than the average password.  Password length and complexity are part of system configuration.

Systems should also be configured to have passwords automatically expire after a pre-defined period of time, such as one month or three months.  Users should be alerted enough in advance to create a new, secure password or passphrase for their user identity.  In addition to the required length and complexity of the new password, re-use of a previous password should be prohibited for a pre-determined number of generations, such as ten or twenty.  This can be controlled through a “password history policy”. 

New system users should be given a temporary password for initial login, with the requirement to change the password upon first login.

When users enter login credentials, the feedback (what’s on the screen) should be obscured.  For example, unobserved onlookers would see “********” instead of the actual password being entered into the system.

Encryption Protection

3.5.10Store and transmit only cryptographically-protected passwords.

User account information must be stored securely in a system. Non-encrypted passwords can be viewed by anyone able to read what’s on the server.  Encryption camouflages your password by turning it into random series of letter and numbers.  This is achieved through hashing (randomly-generated series of numbers and letters) and salting (adding numbers and letters appended to the hash).

Examples of password encryption methods include AES, RSA, and Triple DES (“3DES”).  Your organization should determine the appropriate method based on the amount and type of data requiring encryption.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC-AB Registered Provider Organization

Please visit for more information.