U.S. Department of Health and Human Services

Part 10, Chapter 7: Manual Exhibit 10-7-A

Indian Health Service
Cybersecurity and Privacy Control Definitions
Identification and Authentication Controls

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” provides a catalog of security and privacy controls and control enhancements that must be implemented for Federal information systems.

Many of these controls and enhancements include specific parameters which must be defined by Federal agencies. The Department of Health and Human Services (HHS) has defined roughly 50 percent of these parameters in the HHS-Office of the Chief Information Officer Policy for Information Systems Security and Privacy (IS2P). HHS directs Operating Divisions to inherit these parameters and develop their own definitions for the remaining 50 percent.

The Indian Health Service (IHS) Cybersecurity and Privacy Control Definitions (CPCD) specifies the IHS-defined security control parameters in compliance with HHS direction. The Federal Risk and Authorization Management Program parameters specifically applicable to cloud systems are located at https://www.fedramp.gov/documents/.

The NIST 800-53, Rev 4 Identification and Authentication (IA) family controls that were withdrawn or were not selected by HHS are not included in the table below. The NIST 800-53, Rev 4 controls are located at https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final.

Control ID	Control Title	Control Description	IHS Minimum Requirement by System Category
Control ID	Control Title	Control Description	Low	Moderate	High
Identification and Authentication (IA)
IA-1	Identification and Authentication Policies and Procedures	IHS: Develops, documents, and disseminates to all IHS personnel (via IHS.gov websites) for IHS-wide policies/procedures, and to all system personnel for individual systems as required by the System Owner or designee: An Identification and Authentication (IA) policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance (Note: IHS covers this control by establishing IHM Part 10, Cybersecurity); and Procedures to facilitate the implementation of the IA policy and associated identification and authentication controls. Per IHM Part 1, Chapter 1, “Indian Health Service Manual System,” reviews the IA policy at least every two years and submits to the Division of Management Policy and Internal Control for revision when needed. Reviews the IA standard operating procedures at least every three years, and updates the procedures when needed	Selected	Selected	Selected
IA-2	Identification and Authentication (Organizational Users)	The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).	Selected	Selected	Selected
IA-2 c.e.1	Network Access to Privileged Accounts	The information system implements multifactor authentication for network access to privileged accounts.	Selected	Selected	Selected
IA-2 c.e.2	Network Access to Non-Privileged Accounts	The information system implements multifactor authentication for network access to non-privileged accounts.	Not Selected	Selected	Selected
IA-2 c.e.3	Local Access to Privileged Accounts	The information system implements multifactor authentication for local access to privileged accounts.	Not Selected	Selected	Selected
IA-2 c.e.4	Local Access to Non-Privileged Accounts	The information system implements multifactor authentication for local access to non-privileged accounts.	Not Selected	Not Selected	Selected
IA-2 c.e.8	Network Access to Privileged Accounts – Replay Resistant	The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. Note: Replay-resistant techniques include, for example, protocols that use nonce or challenges such as Transport Layer Security (TLS), and time synchronous, or challenge-response one-time authenticators.	Not Selected	Selected	Selected
IA-2 c.e.9	Network Access to Non-Privileged Accounts – Replay Resistant	The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. Note: Replay-resistant techniques include, for example, protocols that use nonces or challenges such as TLS, and time synchronous, or challenge-response one-time authenticators.	Not Selected	Not Selected	Selected
IA-2 c.e.11	Remote Access – Separate Device	The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access, and the device meets strength of mechanism requirements as defined by OMB e-Authentication requirements and Federal Information Processing Standards.	Not Selected	Selected	Selected
IA-2 c.e.12	Acceptance of PIV Credentials	The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.	Selected	Selected	Selected
IA-3	Device Identification and Authentication	The information system uniquely identifies and authenticates applicable systems prior to establishing a connection to the network. Such systems must use shared information (MAC or IP address) and access control lists to control network access. If remote authentication is provided by the system itself, the system must be in compliance with OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies.	Not Selected	Selected	Selected
IA-4	Identifier Management	The IHS manages information system identifiers by executing the following actions: Receiving authorization from individuals responsible for account management before assigning an individual, group, role, or device identifier; Selecting an identifier that identifies an individual, group, role, or device; Assigning the identifier to the intended individual, group, role, or device; Preventing reuse of identifiers for three years; and Disabling the identifier after [Assignment*], per system categorization, or after fewer days at the discretion of the IHS.	*Selected Assignment: 90 days	*Selected Assignment: 60 days	*Selected Assignment: 30 days
IA-5	Authenticator Management	The IHS manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; Establishing initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution (i.e., communicating passwords for encrypted files via a separate communication session rather than via the transmission of files themselves, such as sending one email with an encrypted file, and another email with the file password, etc.), for lost/compromised or damaged authenticators, and for revoking authenticators; Changing default content of authenticators prior to information system installation; Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; Changing/refreshing authenticators at the following intervals: Passwords – no longer than every 60 days, immediately in the event of known or suspected compromise, and immediately upon system installation (e.g. default or vendor-supplied passwords) PIV Compliant Access Cards – no longer than every five years Public Key Infrastructure (PKI) certificates issued in accordance with Federal PKI Common Policy – no longer than every 1 year for contractors and three years for Federal employees All other authenticators – as defined by the system owner Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and Changing authenticators for group/role accounts when membership to those accounts changes. Any PKI authentication request must be validated by Online Certificate Status Protocol (OCSP) or certificate revocation list (CRL) to ensure that the certificate being used for authentication has not been revoked.	Selected	Selected	Selected

IA-5 c.e.1	Password-Based Authentication	The information system, for password-based authentication: Enforces minimum password complexity of at least one character from each of the four character categories (A-Z, a-z, 0-9, special characters), minimum length of eight characters for regular user passwords, and minimum length of 15 characters for administrators or privileged users; Enforces at least 75% of characters changed when new passwords are created; Stores and transmits only encrypted representations of passwords; Enforces minimum password age of one day and maximum password age of 60 days; Prohibits password reuse for at least six generations; and Allows the use of a temporary password for system logons with an immediate change to a permanent password. Note: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., PIV cards). Also, administrator/privileged users are defined as those authorized for limited administrative purposes only based on business or technical need. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.	Selected	Selected	Selected
IA-5 c.e.2	PKI-Based Authentication	The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.	Not Selected	Selected	Selected
IA-5 c.e.3	In-Person or Trusted Third-Party Registration	The IHS requires that the registration process to receive all IHS-defined administrative tokens and other credentials used for two-factor authentication be conducted in person before a designated registration authority with authorization by a designated organizational official with issuance rights.	Not Selected	Selected	Selected
IA-5 c.e.11	Hardware Token-Based Authentication	The information system, for hardware token-based authentication, employs mechanisms that satisfy token quality requirements as defined by the IHS. Note: Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government PIV card. Organizations define specific requirements for tokens, such as working with a particular public key PKI.	Selected	Selected	Selected

IA-6	Authenticator Feedback	The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Note: Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.	Selected	Selected	Selected
IA-7	Cryptographic Module Authentication	The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication (esp. FIPS 140-2).	Selected	Selected	Selected
IA-8	Identification and Authentication (Non-Organizational Users)	The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users), including Tribal entities, prior to allowing access to IHS systems and networks (unless a risk-based decision is made for a particular system that does not require non-organization user authentication, such as webpages and other resources specifically for public consumption).	Selected	Selected	Selected
IA-8 c.e.1	Acceptance of PIV Credentials From Other Agencies	The information system accepts and electronically verifies PIV credentials from other Federal agencies. Note: If an IHS system independently recognizes PIV or CAC credentials from external Federal agencies, this requires that the IHS also verify the validity upon each use of this external credential via CRL or OCSP to be sure that the certificate is still valid prior to granting access.	Selected	Selected	Selected

IA-8

c.e.2

Acceptance of Third-Party Credentials

The information system accepts only: Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.

Note: FICAM-approved path discovery and validation products and services are those products and services that have been approved through the FICAM conformance program, where applicable. Additional guidance is available at https://www.idmanagement.gov/.

Selected

IA-8

c.e.3

Use of FICAM-Approved Products

The IHS employs only FICAM-approved information system components in systems defined by the IHS to accept third-party credentials.

Selected

IA-8

c.e.4

Use of FICAM-Issued Profiles

The information system conforms to FICAM-issued profiles.

Selected