NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-5(2) — Public Key-based Authentication
For public key-based authentication: Enforce authorized access to the corresponding private key; and Map the authenticated identity to the account of the individual or group; and When public key infrastructure (PKI) is used: Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and Implement a local cache of revocation data to support path discovery and validation.
Supplemental Guidance
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.
Practitioner Notes
This enhancement addresses public key-based authentication — using certificates and PKI rather than passwords for stronger authentication.
Example 1: Deploy an internal Active Directory Certificate Services (AD CS) PKI and issue user certificates for smart card (CAC/PIV) authentication to workstations and VPN.
Example 2: Configure Azure AD certificate-based authentication (CBA) so users can authenticate to cloud applications using their X.509 certificates stored on smart cards or devices.