NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-3(4)Device Attestation

Handle device identification and authentication based on attestation by {{ insert: param, ia-03.04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices.

Practitioner Notes

This enhancement requires device attestation — the ability for a device to cryptographically prove it is in a known-good state, not just that it has valid credentials.

Example 1: Use Windows Attestation with a Trusted Platform Module (TPM) to verify that a device's boot process has not been tampered with before granting network access.

Example 2: Implement Intune device compliance policies that check TPM attestation, Secure Boot status, and BitLocker encryption before allowing access to sensitive resources.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts