NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-11Re-authentication

Require users to re-authenticate when {{ insert: param, ia-11_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

Practitioner Notes

Re-authentication means requiring users to prove their identity again during a session — not just at initial login but periodically or before sensitive actions.

Example 1: Configure Azure AD Conditional Access to require re-authentication with MFA every 4 hours for access to sensitive applications like financial systems or admin portals.

Example 2: Implement step-up authentication in your web application that requires users to re-enter their password or MFA code before performing high-risk actions like changing account settings or downloading bulk data.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts