>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IA-10Adaptive Authentication

IL5
IL6

>Control Description

Require individuals accessing the system to employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses.

When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication.

>Related Controls

IA-2
IA-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-10 (Adaptive Authentication)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-10?
  • How frequently is the IA-10 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-10 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-10 requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-10?
  • How is IA-10 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-10 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-10?
  • What audit logs, records, reports, or monitoring data validate IA-10 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-10 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-10 compliance?

Ask AI

Configure your API key to use AI features.