Family 3.5 11 requirements Identity foundation
Identity & Authentication.
Prove who you are. Then prove it again.
The big picture
IA is what makes Access Control real. If identity is sloppy here, every other access decision downstream is suspect.
Most of these requirements are platform-native in modern IdPs — see what your cloud handles vs what you own.
Theme 1
Identity and accounts.
3.5.1 — 3.5.6Identifying users, authenticating them, MFA where it matters, and managing identifiers over time.
- 3.5.1 Prove Who You Are. Every user, service account, and device has a unique identifier. No anonymous access. 3.5.2 Verify Before Entry. Before granting access, verify identity through credentials — passwords, tokens, certificates, biometrics. 3.5.3 MFA Everywhere. Multi-factor authentication for all privileged accounts and all remote non-privileged access. Cannot be on POA&M. 3.5.4 Replay-Resistant Auth. Authentication that can't be intercepted and replayed by an attacker. 3.5.5 Don't Recycle Usernames. Don't reuse a departed employee's username for a defined period. 3.5.6 Disable Dormant Accounts. Accounts unused for a defined period are automatically disabled.
Theme 2
Authenticators and feedback.
3.5.7 — 3.5.9Password complexity, reuse limits, transmission protections, and not echoing secrets on screen.
- 3.5.7 Password Rules. Minimum length, complexity, and meaningful change requirements for passwords. 3.5.8 No Password Recycling. Users can't cycle back to previous passwords. Enforce at least 24-password history. 3.5.9 Change Temp Passwords Immediately. Temporary passwords must be changed on first login. No exceptions.
Theme 3
Cryptographic protection.
3.5.10 — 3.5.11Storing and transmitting authenticators in cryptographically protected form, with obscured feedback.