The fifth family of requirements in the NIST 800-171 standard is Identification and Authentication. This family covers how your authorized users are verified before they gain access to your system.

Why is Identification and Authentication important?

It is not enough for us to control who can access our data and systems. We also have to put in cybersecurity safeguards to ensure the people we allow in are indeed who they say they are. I may have a policy in place that allows only current employees within my organization to access a staff portal that contains restricted data. But, how can I know that the people entering the staff portal are indeed current employees? For that, we need to be able to verify identities and establish policies and procedures around how people are verified before they can get into our systems.


What is Identification and Authentication about in NIST 800-171?

The Identification and Authentication family contains eleven security requirements. The main focus of this family is verifying that the people who are accessing your systems are the ones authorized to do so. Some of the key points within this family include:

  1. Verify the identity of any person or device accessing your system—ensure that the system login information matches a known authorized user and that any devices that access your system can be traced to an assigned and authorized user.
  2. Enforce minimum complexity protocols for passwords—help your authorized users keep their passwords secure by including a password policy. Password complexity protocols establish how long passwords should be and if numerals, uppercase letters, or special characters (!, @, *, etc.) are required.
  3. Use multifactor authentication for network access—enable at least a two-factor authentication which requires another authentication tool in addition to the login and password. This may either be through a numeric code sent to a user’s mobile device or a fingerprint scanner.
  4. Set access time-out to disable access after a period of account inactivity—set a session time-out that will automatically close a network connection after a specified time.  This will prevent a user from keeping an open connection to your data unless they are actively working in the system.


Check back for our next blog post and learn more about the Incident Response family. You may also be interested in reading our last post on Configuration Management.


Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.