UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IAGA-1 Group Authentication


Overview

Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the Designated Approving Authority (DAA).

MAC / CONF Impact Subject Area
CLASSIFIED
SENSITIVE
Medium Identification and Authentication

Details

Threat
Group authenticators allow users within a single domain, user group, or role and permissions set to access specific applications or network resources without having to repeat an individual authentication instance.  Permitting group authentication to system resources without first requiring individual authentication opens the risk of enabling  unauthorized users to access system resources.

Guidance
1. The system administrator and project manager shall determine if it is necessary to assign group accounts to support system operations and mission.
2. Once it is determined that group accounts are required to support system maintenance and operations and/or network access, the system administrator and the project manager shall determine if group authenticators can be used based on the DOD PKI.
3. If the DOD PKI can be used, the system administrator shall coordinate with the DOD PKI Program Office for use of group accounts.
4. If the DOD PKI cannot be used, the project manager submits a request for an approval to DAA and obtains an approval from DAA.
5. For the group accounts to support application maintenance and functions or network access, the system and network administrators shall perform the following:
  · Identify individual groups that require group accounts
  · Identify users for each group, maintain the list of users, and update the list
  · Determine the group accounts depending on group functions
  · Assign individual group accounts and a unique password for individual groups
  · Distribute the passwords to the users securely

References

  • DODD 5200-2, DOD Personnel Security Program, 09 April 1999
  • CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
  • CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
  • DISA Network Infrastructure STIG, Version 5, Release 2.29, September 2003
  • DISA Network Infrastructure Security Checklist, Version 5, Release 2.2, 23 September 2004
  • NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995