Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA).
MAC / CONF | Impact | Subject Area |
---|---|---|
CLASSIFIED SENSITIVE | Medium | Identification and Authentication |
Threat |
---|
Group authenticators allow users within a single domain, user group, or role and permissions set to access specific applications or network resources without having to repeat an individual authentication instance. Permitting group authentication to system resources without first requiring individual authentication opens the risk of enabling unauthorized users to access system resources. |
Guidance |
---|
1. The system administrator and project manager shall determine if it is necessary to assign group accounts to support system operations and mission. 2. Once it is determined that group accounts are required to support system maintenance and operations and/or network access, the system administrator and the project manager shall determine if group authenticators can be used based on the DOD PKI. 3. If the DOD PKI can be used, the system administrator shall coordinate with the DOD PKI Program Office for use of group accounts. 4. If the DOD PKI cannot be used, the project manager submits a request for an approval to DAA and obtains an approval from DAA. 5. For the group accounts to support application maintenance and functions or network access, the system and network administrators shall perform the following: · Identify individual groups that require group accounts · Identify users for each group, maintain the list of users, and update the list · Determine the group accounts depending on group functions · Assign individual group accounts and a unique password for individual groups · Distribute the passwords to the users securely |