IAGA-1

IAGA-1 Group Authentication

Overview

Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA).

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE	Medium	Identification and Authentication

Details

Threat
Group authenticators allow users within a single domain, user group, or role and permissions set to access specific applications or network resources without having to repeat an individual authentication instance. Permitting group authentication to system resources without first requiring individual authentication opens the risk of enabling unauthorized users to access system resources.

Guidance
1. The system administrator and project manager shall determine if it is necessary to assign group accounts to support system operations and mission. 2. Once it is determined that group accounts are required to support system maintenance and operations and/or network access, the system administrator and the project manager shall determine if group authenticators can be used based on the DOD PKI. 3. If the DOD PKI can be used, the system administrator shall coordinate with the DOD PKI Program Office for use of group accounts. 4. If the DOD PKI cannot be used, the project manager submits a request for an approval to DAA and obtains an approval from DAA. 5. For the group accounts to support application maintenance and functions or network access, the system and network administrators shall perform the following: · Identify individual groups that require group accounts · Identify users for each group, maintain the list of users, and update the list · Determine the group accounts depending on group functions · Assign individual group accounts and a unique password for individual groups · Distribute the passwords to the users securely

Guidance

1. The system administrator and project manager shall determine if it is necessary to assign group accounts to support system operations and mission.
2. Once it is determined that group accounts are required to support system maintenance and operations and/or network access, the system administrator and the project manager shall determine if group authenticators can be used based on the DOD PKI.
3. If the DOD PKI can be used, the system administrator shall coordinate with the DOD PKI Program Office for use of group accounts.
4. If the DOD PKI cannot be used, the project manager submits a request for an approval to DAA and obtains an approval from DAA.
5. For the group accounts to support application maintenance and functions or network access, the system and network administrators shall perform the following:
  · Identify individual groups that require group accounts
  · Identify users for each group, maintain the list of users, and update the list
  · Determine the group accounts depending on group functions
  · Assign individual group accounts and a unique password for individual groups
  · Distribute the passwords to the users securely

References

DODD 5200-2, DOD Personnel Security Program, 09 April 1999
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Network Infrastructure STIG, Version 5, Release 2.29, September 2003
DISA Network Infrastructure Security Checklist, Version 5, Release 2.2, 23 September 2004
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995