NIST Special Publication 800 NIST SP 800-171r3

The Security Requirements

03.05.01: User Identification and Authentication

System users include individuals (or system processes acting on behalf of individuals) who are authorized to access a system. Typically, individual identifiers are the usernames associated with the system accounts assigned to those individuals…

03.05.02

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization…

03.05.03

This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication…

03.05.04: Replay-Resistant Authentication

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages…

03.05.05: Identifier Management

Identifiers are provided for users, processes acting on behalf of users, and devices. Prohibiting the reuse of identifiers prevents the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices…

03.05.06: Withdrawn

Consistency with SP 800-53 [8].

03.05.07: Password Management

Password-based authentication applies to passwords used in single-factor or multifactor authentication. Long passwords or passphrases are preferable to shorter passwords.

03.05.08: Withdrawn

Consistency with SP 800-53 [8].

03.05.09: Withdrawn

Consistency with SP 800-53 [8].

03.05.10

Incorporated into 03.05.07.

03.05.11: Authentication Feedback

Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms…

03.05.12: Authenticator Management

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics…