Identification and Authentication

Identification and authentication (I&A) is the security process of claiming an identity (identification — 'I am Jane Smith') and proving it (authentication — 'here is my password and my CAC'). Together, they ensure that only verified, known individuals gain access to systems and data.

I&A requirements under CMMC include uniquely identifying each user (no shared accounts), implementing multi-factor authentication for remote and privileged access, managing authenticators (passwords, tokens, certificates), and re-authenticating users when sessions expire or when required by policy.

Why It Matters

Identification and authentication is a CMMC domain with specific requirements that assessors will test. Unique user identification, strong password policies, and MFA for remote access are among the most scrutinized controls during assessment.

Related Resources

CMMC: IA.L1-3.5.1
CMMC: IA.L1-3.5.2
NIST 800-171: 3.5.1
NIST 800-171: 3.5.2
NIST 800-171: 3.5.3
NIST 800-171: 3.5.4
NIST 800-171: 3.5.5
NIST 800-171: 3.5.6