Identification & Authentication (IA): Enhancing Identity & Access Security

See below all the 11 controls

← or go back to the NIST SP 800-171 R2 Guide

Got questions? Contact our team today for a free CMMC Consultation

3.5.1

Identify information system users and processes (or devices acting on behalf of users) through unique identification before granting access.

More details

+
NIST 800-171 Control Identifier: 3.5.1
CMMC Control Identifier: IA.L1-3.5.1
Control CMMC Level: 1
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

IA-2: User Identification and Authentication

IA-3: Uniquely Identify and Authenticate

IA-5: Authenticator Management

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID (Azure AD) for unique user identities and system authenticator policies)

3.5.2

Authenticate (verify) the identities of users, devices, or processes before granting access to organizational systems, ensuring only authorized entities are permitted.

More details

+
NIST 800-171 Control Identifier: 3.5.2
CMMC Control Identifier: IA.L1-3.5.2
Control CMMC Level: 1
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

IA-2: User Identification and Authentication

IA-3: Uniquely Identify and Authenticate

IA-5: Authenticator Management

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID for user/device identity verification and authentication workflows)

3.5.3

Require multi-factor authentication (MFA) for: • All local and network access to privileged accounts • Network access to non-privileged accounts

More details

+
NIST 800-171 Control Identifier: 3.5.3
CMMC Control Identifier: IA.L2-3.5.3
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-2 (1): MFA for privileged account access

IA-2 (2): MFA for non-privileged network access

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID with Conditional Access and MFA enforcement policies)

3.5.4

Employ replay-resistant authentication mechanisms such as biometrics, smart cards, or one-time passcodes for network access to privileged and non-privileged accounts.

More details

+
NIST 800-171 Control Identifier: 3.5.4
CMMC Control Identifier: IA.L2-3.5.4
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-2 (8): Implement replay-resistant authentication mechanisms (e.g., FIDO2, smart card, biometric, OTP-based methods)

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID support for FIDO2 security keys, Windows Hello for Business, smart card auth, and biometric authentication support via compatible devices)

3.5.5

Prevent the reuse of system identifiers (e.g., usernames or device IDs) for a defined retention period to reduce security risks related to identity confusion or compromise.

More details

+
NIST 800-171 Control Identifier: 3.5.5
CMMC Control Identifier: IA.L2-3.5.5
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-4: Manage system identifiers by assigning, maintaining, and revoking them for users, devices, and processes. Ensure reuse is restricted for a specified retention window.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID policies, identity lifecycle controls, and audit logs to enforce identifier uniqueness and non-reuse policies)

3.5.6

Disable user or system identifiers after a defined period of inactivity to reduce the risk of unauthorized access from unused or forgotten accounts.

More details

+
NIST 800-171 Control Identifier: 3.5.6
CMMC Control Identifier: IA.L2-3.5.6
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-4: Manage system identifiers by assigning, maintaining, and revoking them for users, devices, and processes. Includes disabling identifiers after inactivity thresholds.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID access review and lifecycle automation tools to detect and disable dormant accounts based on inactivity policies)

3.5.7

Enforce minimum password complexity requirements and require password changes by altering a defined number of characters when new passwords are created.

More details

+
NIST 800-171 Control Identifier: 3.5.7
CMMC Control Identifier: IA.L2-3.5.7
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-5 (1): Enforce password policies that include complexity, expiration, reuse limitations, and secure storage

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID password protection, fine-grained password policies, and secure credential storage enforcement)

3.5.8

Prevent reuse of passwords for a specified number of previous password generations to minimize credential predictability and mitigate brute-force or guess-based attacks.

More details

+
NIST 800-171 Control Identifier: 3.5.8
CMMC Control Identifier: IA.L2-3.5.8
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-5 (1): Enforce password policies that include complexity, expiration, reuse limitations, and secure storage

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Entra ID capabilities to enforce password history restrictions and secure identity protections)

3.5.9

Allow use of temporary passwords for initial access only when immediate change to a permanent password is enforced upon logon. This supports secure provisioning and mitigates risk from preloaded credentials.

More details

+
NIST 800-171 Control Identifier: 3.5.9
CMMC Control Identifier: IA.L2-3.5.9
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-5 (1): Enforce password policies that include complexity, expiration, reuse limitations, and secure storage

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes password provisioning and forced-change policy features via Microsoft Entra ID and Microsoft Secure Score configuration)

3.5.10

Store and transmit passwords only cryptographically protected from using approved hashing and encryption algorithms. Avoid plaintext storage or transmission.

More details

+
NIST 800-171 Control Identifier: 3.5.10
CMMC Control Identifier: IA.L2-3.5.10
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-5 (1): Enforce password policies that include complexity, expiration, reuse limitations, and secure storage

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes hashing and encryption via Microsoft Entra ID, Azure Key Vault, and secure TLS-based transmission controls)

3.5.11

Obscure feedback from authentication mechanisms (e.g., failed login attempts, password reset prompts) to prevent disclosure of authentication information to unauthorized users.

More details

+
NIST 800-171 Control Identifier: 3.5.11
CMMC Control Identifier: IA.L2-3.5.11
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

IA-6: Obscure feedback of authentication inputs to prevent unauthorized disclosure

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

(includes Microsoft Entra ID password protection, conditional access error handling, and secure self-service password reset)

Microsoft Cloud for CMMC Compliance

Contact our team today

See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.

Schedule a FREE
consultation