|IA-3 (1) Cryptographic Bidirectional Authentication || |
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).
The information system authenticates Assignment: organization-defined specific devices and/or types of devices before establishing Selection (one or more): local; remote; network connection using bidirectional authentication that is cryptographically based.
|IA-3 (2) Cryptographic Bidirectional Network Authentication || |
Withdrawn: Incorporated into IA-3 (1).
|IA-3 (3) Dynamic Address Allocation || |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices.
The organization: IA-3 (3)(a)
Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with Assignment: organization-defined lease information and lease duration; and IA-3 (3)(b)
Audits lease information when assigned to a device.
|IA-3 (4) Device Attestation || |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices.
The organization ensures that device identification and authentication based on attestation is handled by Assignment: organization-defined configuration management process.