NIST SP 800-171 – UNDERSTANDING CYBERSECURITY THROUGH IDENTIFICATION AND AUTHENTICATION

February 28, 2024

In today’s digital era, the intersection of technology and security is the basis of our cyber defense strategies. As government contractors and organizations strive to protect Controlled Unclassified Information (CUI), adherence to NIST SP 800-171’s requirements is mandatory. This blog is part of a series dedicated to understanding these requirements, with a focus on enhancing identification and authentication to thwart unauthorized access.

Key Takeaways

  • Understand the important role of managing identifiers, enforcing password integrity, and using Multi-Factor Authentication (MFA) as keystones in safeguarding user credentials and ensuring a fortified cybersecurity posture.
  • Ensure identifiers are properly managed. No identifier should be reused and disabled after a defined period of inactivity. Enforce integrity on new passwords by requiring users to create a completely new combination differing from previous passwords.
  • Safeguard passwords and accounts from unauthorized access by using various authentication mechanisms. Protect user credentials from identity theft and brute force attacks and enforce minimum password complexities.

Fundamentals of Identification and Authentication

Identification and authentication acts as the first line of defense against unauthorized access to systems and data. Identification involves recognizing a user or device that is attempting to access a system. Authentication is the process of verifying that an individual is who they claim to be. These are two essential concepts when strengthening your cybersecurity posture and protecting against cyberattacks.

Analyzing NIST SP 800-171’s Identification and Authentication Requirement

Identifying Key Participants and Authenticating Their Legitimacy (3.5.1 and 3.5.2)  

The foundation of robust cybersecurity lies in the precise identification of users and devices along with their authentication. By using unique identifiers and diverse authentication mechanisms, which can range from traditional passwords to sophisticated biometric and cryptographic methods, we can create a secure and resilient digital environment.

Elevating Security with Multi-Factor Authentication and Defense Strategies (3.5.3 and 3.5.4) 

MFA elevates our security measures by requiring a combination of verification factors, which significantly diminishes the chances of unauthorized breaches. Simultaneously, our strategy to combat replay attacks involves deploying one-time codes and unique challenges, making stolen data useless for unauthorized purposes.

3.5.5. Prevent reuse of identifiers for a defined period. Organizations must ensure previously used identifiers are not assigned to a different individual, group, role, or device.

3.5.6. Disable identifiers after a defined period of inactivity. Attackers can easily gain undetectable access to organizational devices by exploiting inactive identifiers. The identifier owners may not even notice the misuse. It is the organization’s responsibility to define the time period of inactivity to disable the identifier.

3.5.7. Enforce a minimum password complexity and change of characters when new passwords are created. When new passwords are created, there must be rules in place that dictate the number of changes required. The complexity of changed characters refers to the number of changes required with respect to the total number of positions in the current password string. Using a randomly generated salt string for passwords is also something organizations should consider. Salt strings give organizations the ability to uniquely identify every password regardless of whether different users create a password with the same characters.

3.5.8. Prohibit password reuse for a specified number of generations. This requirement prevents users from reusing a previous password. Depending on the system, this is set to a certain number of previous generations. For example, if the system is configured to not allow the reuse of the previous five passwords, users will not be able to use their last five passwords. NIST SP 800-171 recommends at least five generations of passwords before you can reuse a password. This process prevents attackers who may gain access to one password from easily compromising other accounts using the same password.

3.5.9. Allow temporary password use for system logons with an immediate change to a permanent password. When setting up new accounts or resetting forgotten passwords, temporary passwords can grant you access before requiring an immediate change to a permanent password. The temporary password is only valid for a short amount of time, minimizing the risk if compromised. Requiring immediate changes from temporary passwords to permanent passwords ensures that the strength of the authentication mechanism is implemented at the earliest possible time and that the authenticator is confidential and unique to the authorized user – reducing the likelihood of authenticator compromises.

3.5.10. Store and transmit only cryptographically protected passwords. Storing and transmitting passwords in plain text is a major security risk. Three methods to cryptographically protect passwords are hashing, salting, and storing passwords securely. Hashing creates a unique fingerprint of the password so it cannot be easily reversed. It is a best practice to never store passwords directly. Instead, use a strong one-way hashing algorithm like SHA-256. Salting adds a unique string to the password before hashing. This prevents attackers from using precomputed rainbow tables to crack common passwords. Lastly, store passwords in a secure location that is separate from user data. Consider using a dedicated password manager with access controls or a database with strong encryption.

3.5.11. Obscure feedback of authentication information. Obscuring feedback of authentication information means hiding what the user inputs during the login process. This reduces the risk of shoulder surfing and someone obtaining information to access your account. The feedback from the system does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. Some of the common methods for obscuring feedback is masking input: replacing typed characters with asterisks or dots; limiting visibility: briefly displaying characters before obscuring them; and providing generic messages: “incorrect credentials.”

Best Practices 

Securing passwords is an ongoing process. Using strong passwords, enabling MFA, and updating password policies regularly ensures protection for users and systems. By implementing these measures, organizations can significantly reduce the risk of unauthorized access and data breaches. It is clear that the strength of an organization’s security infrastructure is significantly bolstered by rigorous identification and authentication protocols. The crux of NIST SP 800-171, Identification and Authentication, lies in the emphasis on the need for meticulous identification and robust authentication mechanisms. This ensures that only authorized users and devices gain access to sensitive information, thereby serving as the main barrier against threats targeting the confidentiality, integrity, and availability of controlled, unclassified information.

These are just a few examples of how to implement Identification and Authentication whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on Incident Response.

Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts

IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.

Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.

Related

Learn more about IBSS