NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.2 — Device Identification and Authentication
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control .MAC, Transmission Control Protocol/Internet Protocol .TCP/IP addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers .IEEE 802.1x and Extensible Authentication Protocol .EAP, RADIUS server with EAP-Transport Layer Security .TLS authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Public Key Infrastructure (PKI) and certificate revocation checking for the certificates exchanged can be included as part of device authentication.
CMMC Practice Mapping
Assessment Objectives
- {{ insert: param, A.03.05.02.ODP.01 }} are authenticated before establishing a system connection.
- {{ insert: param, A.03.05.02.ODP.01 }} are uniquely identified before establishing a system connection.
Practitioner Notes
This is about identifying and authenticating devices — not just people — before they connect to your network. You need to know what machines are on your network and verify they are authorized to be there.
Rogue devices plugged into your network are a serious risk, especially in environments handling CUI.
Example 1: Implement 802.1X port-based authentication on your network switches. On Cisco switches, configure dot1x system-auth-control globally, then on each access port enable authentication port-control auto. Pair this with a RADIUS server (like Microsoft NPS or Cisco ISE) that checks machine certificates before granting network access.
Example 2: In Microsoft Entra ID (Azure AD), use Conditional Access policies to require device compliance. Go to Entra Admin Center > Protection > Conditional Access > New Policy. Set the condition to require the device be marked as compliant in Intune before accessing company resources. This ensures only enrolled, managed devices can authenticate to your cloud services.