NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-3(1)Cryptographic Bidirectional Authentication

Authenticate {{ insert: param, ia-03.01_odp.01 }} before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk.

Practitioner Notes

This enhancement requires cryptographic bidirectional authentication between devices — both the device and the network must prove their identity to each other.

Example 1: Use mutual TLS (mTLS) for server-to-server communication where both sides present certificates and verify each other's identity before exchanging data.

Example 2: Configure 802.1X with EAP-TLS where both the client device and the RADIUS server authenticate each other using digital certificates.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts