User Capabilities

Identify authentication sources:

• Compile a list of all authentication systems within the Component (e.g., cloud-hosted, on-premises directory services, third-party Identity and Access Management (IAM), ICAM providers, etc.).

Extract User/PE data:

• Extract User/PE data from each authentication source using Application Programming Interfaces (APIs) or other integration methods.
• Gather information (e.g., usernames, unique identifiers, associated groups, etc.).

Consolidate and normalize data:

• Move the extracted User/PE data into a central repository or IAM solution.
• Normalize the data to ensure consistency across different authentication sources.
  • Transform diverse attribute values into standardized formats, such as converting all email addresses to lowercase and removing whitespace from phone numbers to ensure consistent identification during authentication.

Define privileged Users/PEs:

• Clearly define the criteria for privileged User/PE designation within your Component (e.g., administrators, system owners, database administrators, others with elevated access, etc.).

Identify privileged Users/PEs:

• Identify Users/PEs with privileged access within each authentication source (e.g., review group memberships, specific roles, etc.).

Verify and validate authoritative management:

• Manage privileged User’s/PE’s identities within a primary authoritative source (e.g., a directory service, etc.) and verify and validate that user access is strictly controlled.
• Normalize the privileged User/PE data.

Utilize discovery tools:

• Utilize manual and automated discovery tools while performing environment scans to identify all applications during the application inventory process.*Further details are provided within Activity 3.1.1 (Discovery) – Application and Code Identification.

Create application inventory:

• Gather application management details as relevant data points during the application inventory.*Further details are provided within Activity 3.1.1 (Discovery) – Application and Code Identification.

Define criteria for non-privileged Users/PEs:

• Establish a clear definition of non-privileged Users/PEs based on their roles and access permissions. Focus on accounts with no administrative or elevated privileges.

Extract and organize User/PE account data:

• Collect account data from each application, leveraging administrative tools or APIs. Normalize this data to include User/PE identifiers, roles, and associated metadata for cataloging.
• Compile results in the Component Master User Inventory.

Review for completeness:

• Cross-reference the cataloged accounts against system logs or application audit trails to identify missing or unaccounted Users/PEs.
• Document and remediate any gaps.

Store, verify, and validate the catalog:

• Store the compiled list of privileged accounts in a secure, centralized location.
• Ensure completeness and accuracy by conducting a review with application owners.

Define criteria for privileged Users/PEs:

• Establish criteria for identifying privileged Users/PEs, focusing on roles with administrative or elevated access. If applicable, use Enterprise role-based access standards as a reference.

Extract and organize privileged account data:

• Where possible, retrieve User/PE account data from each application using APIs or administrative tools. Highlight roles, permissions, and any associated metadata indicating privileged access.

Review, verify, and validate privileged accounts:

• Cross-check the extracted data with application audit logs and system configurations to confirm that all privileged accounts are accurately identified and included.

Store, verify, and validate the catalog:

• Store the compiled list of privileged accounts in a secure, centralized location.
• Ensure completeness and accuracy by conducting a review with application owners.

Obtain the Enterprise ICAM authoritative policy/guidance:

• Review the approved Enterprise authoritative policy/guidance for ICAM governance on User’s/Person Entity’s (PE’s) roles and attributes.
• Review the latest Enterprise ICAM strategy related to the creation of digital entities, maintenance of associated attributes, and issuance of credentials for User/PE.

Review, verify, and validate requirements:

• Determine specific application functions and data that require access control.
• Verify and validate the roles and attributes needed for authorization.
• Verify and validate the accuracy of data, including data received from other data sources.

Review roles and attributes:

• Review roles based on job functions, responsibilities, and access needs.
• Verify and validate that the assigned Users/PEs to roles have appropriate access.
• Identify attributes such as User identity, role, department, location, device type, time of access, and other relevant factors to make dynamic access decisions.

Leverage Activity 1.4.1 (Phase One) – Implement System and Migrate Privileged Users Part 1, to verify and validate previously established PAM attributes:

• User Attributes: Username, role, department, and contact info.
• Access Attributes: Access levels, permissions, and entitlements.
• Session Attributes: Start and end times, session duration, and session logs.
• Authentication Attributes: Multi-Factor Authentication (MFA) status and authentication methods used.
• Audit Attributes: Access logs, change logs, and compliance reports.

Assess current PAM activities:

• Create an inventory of remaining associated activities.
• Identify the tools and methods currently used for PAM activities.
• Identify any gaps in the implementation of the current PAM.

Verify and validate the migration plan:

• Map the identified PAM attributes to the corresponding features in the chosen or existing PAM solution.
• Plan to migrate the remaining User/PE data, access permissions, and session logs to the PAM solution.
• Test the migration process in a controlled environment to ensure data integrity and functionality.
• Integrate the PAM solution with remaining systems (e.g., Identity and Access Management (IAM), directories, logging systems, etc.).

Review, verify, and validate the centralized identity store:

• Verify, validate, and establish that an approved single or cluster of authoritative centralized source(s) is leveraged by both PAM and ICAM solutions for consistent access control across the Component.
• Review, verify, and validate the permission-based access request workflow for seamless integration.

Maintain secure credential management:

• Verify and validate capability to associate digital identity with an authoritative source of truth.

Leverage the MFA capability building block from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP), to enforce authentication and authorization:

• Implement authentication and authorization mechanisms to ensure that only approved systems and Users/PEs can access the attribute data.

Establish and maintain secure access management:

• Leverage trusted identities and authoritative credentials to develop and map permission-based access control policy to resources.

Enable built-in capability for federation integration:

• Develop and enable cross-boundaries trust and policy-based access control across multiple Components and approved partners.

Monitor and update:

• Continuously monitor the connection and data synchronization process to ensure data accuracy and consistency.
• Implement mechanisms to manage updates and changes in the centralized repository.

Enable continuous monitoring and logging capabilities to support verification and validation of the activity:

• Run routine and periodic testing to ensure compliance and application access control.
• Identify and remediate potential excessive access privileges.
• Monitor and audit any security violations caused by privilege misalignment.

Review authentication rules:

• Leverage previously established rules that determine how User/PE privileges should be adjusted based on authentication events. Rules could be based on the frequency of authentication, the method of authentication (e.g., Multi-Factor Authentication (MFA), etc.), or the authentication context (e.g., location, device, etc.).

Set up an authentication mechanism:

• Implement an authentication method that can trigger events based on authentication outcomes.
  • This could involve integrating with an existing Identity and Access Management (IAM)/Identity, Credential, and Access Management (ICAM) solution, from Activity 1.2.1 (Phase Two) – Implement Application-Based Permissions per Enterprise.

Implement event handling:

• Configure event handling to listen for authentication events and apply the corresponding rules to adjust User/PE privileges.
  • This could include using message queues, webhooks, or direct Application Programming Interface (API) calls.

Monitor and audit:

• Continuously monitor the system to ensure that privileges are being adjusted correctly. Implement auditing to track changes in User/PE privileges and ensure compliance with security policies.

Expand User/PE attributes in support of ABAC:

• User/PE attributes (e.g., role, department, clearance level, location, etc.).
• Resource attributes (e.g., resource type, classification, owner, etc.).
• Environment attributes (e.g., time, Internet Protocol (IP) address, device type, etc.).

Define policies:

• Create policies that specify which attributes are required to access specific resources or actions.

Configure an ABAC/logic engine:

• Utilize an ABAC/logic engine to evaluate policies and make access control decisions.

Integrate with applications:

• Integrate the ABAC engine with all the applications, to the greatest extent possible, to enforce access control decisions. Configure the application to query the ABAC/logic engine before granting access to resources or actions.

Monitor and audit:

• Continuously monitor access control decisions and audit logs to verify and validate policy compliance and detect any anomalies.

Integrate JIT and JEA into existing PAM solution:

• Assess the existing PAM solution, from Activity 1.4.1 (Phase One) – Implement System and Migrate Privileged Users Part 1, to determine if it supports JIT and JEA.
  • If the PAM solution does not support JIT and JEA, select and implement a PAM solution that does support JIT and JEA.

Refine privileged roles and tasks in support of JEA:

• Leverage previously defined roles and tasks that require privileged access and reassess the minimum permissions required to perform these tasks.

Configure JIT access:

• Configure access to grant privileged access only when needed and for a limited time, as defined by the Component.
• Configure approval workflows for JIT access requests.

Implement JEA configurations:

• Create JEA configurations to limit the scope of administrative tasks.

Integrate with existing systems:

• Integrate the PAM solution with your existing IAM systems, directories, and applications.
• Ensure the PAM solution can manage and monitor privileged access across all systems.

Monitor and audit:

• Continuously monitor privileged access sessions and audit logs to ensure compliance with security policies.
• Implement alerting for any suspicious, unapproved activities.

Identity integration points:

• Determine the specific integration points between PAM and SIEM solutions.
• Configure the PAM solution to send log and event data to the SIEM solution.

SIEM integration:

• Ensure the PAM solution can push event information to the established SIEM solution.
• Ensure the SIEM correctly assimilates the event information to provide actionable intelligence.

• Regular audits should be performed to verify and validate that the PAM solution is functioning as expected.
  • Demonstrate that User/PE access is managed correctly in accordance with the JIT/JEA provisioning.
  • Strongly recommend, at a minimum, an annual audit.
• Continuously monitor SIEM integration to ensure the PAM logs and events are correctly forwarded.

Identify all critical applications:

• Leverage the application inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification, to identify the critical applications.

Review MFA requirements:

• Refer to the approved Enterprise guidelines to define and review the MFA system and application requirements.

Leverage the Master User Inventory, from Activity 1.1.1 (Discovery) – Inventory User for component identities:

• Leverage the previously developed User/PE inventory database to help establish User/PE identities at the Component level.

Establish communication with all key stakeholders:

• Prioritize applications, systems, and Users/PEs based on Enterprise/Component determined risk.
• Define the goals and scope of MFA and IdP implementation.

Identify Component IdP requirements:

• Leverage the Component Identity Lifecycle Management (ILM) process, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM), to assess and validate IdP key requirements. The Component ILM process will then be used to apply and enforce these established requirements.
• Review the Enterprise-approved guidelines on identity management and requirements applicable to the Component (e.g., authoritative data source, attributes, vetting, etc.).
• Consider industry standards/best business practices such as the National Institute of Standards and Technology (NIST) - Federal Information Processing Standards (FIPS) 140-3, standards for cryptographic modules.
• Determine how the Component will prioritize MFA and IdP deployment and integration within the existing environment(s).

Select a compatible IdP and MFA solution:

• Identify compatible IdP and MFA solution(s) that meet the Component ILM requirements, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM).
• Identify how the infrastructure and security products will integrate with the IdP. Also, identify if those products support the Attribute-Based Access Control (ABAC)/Role-Based Access Control (RBAC)/Identity-Based Access Control (IBAC) decisions made to support Policy Decision Point (PDP)/Policy Enforcement Point (PEP), from Activity 3.4.2 (Phase Two) – Resource Authorization Part 2 and 6.1.2 (Phase One) – Organization Access Profile. Do not expect uniformity for all products.
  • When selecting an MFA solution:
    • In the absence of Enterprise-defined MFA solutions, consider the following:
      • Hardware Tokens: Universal Serial Bus (USB) Security Keys and/or One-Time Password (OTP) devices, as needed.
      • Software authenticators that provide two-step/two-factor authentication
  • When selecting an IdP solution:
    • Determine if it will support more advanced access control capabilities (e.g., ABAC, IBAC, etc.).
    • Plan for enough granularity for access to the IdP to allow for granting/removing a single privilege without granting/removing extra privileges.
    • Determine if on-premises or cloud-based IdP solutions are most suitable.

Verify and validate Component IdP and MFA solution capabilities:

• Test the selected IdP and MFA solutions to ensure they:
  • Integrate with the Component environment.
  • Provide the necessary capabilities identified during selection

Deploy and implement the selected MFA and IdP solutions:

• Provide clear policy guidelines and support for User/PE enrollment in MFA.
• Implement a phased approach deployment, leveraging the Component-defined priorities, to migrate Users/PEs and integrate MFA and IdP with existing Data, Applications, Assets, and Services (DAAS).

Verify and validate Component MFA solution:

• Ensure all Users/PEs are required to leverage the Component selected MFA solution.
• Ensure access to Component-determined DAAS is restricted to Users/PEs who leverage the approved MFA solution.

Verify and validate Component IdP solution:

• Ensure that all Users/PEs are integrated with the Component IdP solution in accordance with the Component ILM policy established in Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM).

Verify and validate logging:

• Ensure the MFA and IdP can externally send all relevant logs to the Security Information and Event Management (SIEM) or find third-party software to export appropriate logs that can run on the platform.
• Verify and validate the MFA and IdP can provide detailed logs for the SIEM/Security Orchestration, Automation, and Response (SOAR), and/or Artificial Intelligence/Machine Learning (AI/ML) to utilize.
  • Log standardization, from Activity 7.1.2 (Phase One) – Log Parsing.
  • SIEM log detail requirements, from Activity 7.2.4 (Phase One) – Asset ID and Alert Correlation.
  • AI/ML integration, from Activity 7.3.2 (Phase Two) – Establish User Baseline Behavior.

Leverage existing privileged access policies:

• Leverage and review established identity policies, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM) Part 1.
• Leverage the Component Identity Lifecycle Management (ILM) board/stakeholders, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM) Part 1.

Define scope and objectives:

• Focusing on mission and security compliances, define the scope and objectives for a successful PAM implementation.
• Establish the criteria for which applications will/will not require access to the Component-defined PAM solution.

Identify privileged accounts:

• Refer to the Enterprise identity authoritative source and the Component local identity repository to verify, validate, and review User/PE and application-privileged accounts.

Review existing User/PE and application inventories:

• Leverage the application inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification, to identify the critical applications.
• Leverage the Master User Inventory, from Activity 1.1.1 (Discovery) – Inventory User, to compile the privileged User/PE account list.
• Obtain and review the inventory of applications and services that require privileged access.
• Ensure the inventory includes application names, types, privileged accounts, and current access methods.

Leverage existing MFA capability:

• Refer to the approved Enterprise guidelines to define and review the MFA solution and application requirements. Leverage systematic MFA enforcement, from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP).

Select PAM solution:

• Choose a PAM solution that meets the Component’s security requirements.
• Ensure the solution supports the applications and services in the inventory.
• Consider the requirements for integration into a Public Key Infrastructure (PKI), from Activity 1.9.1 (Phase Two) – Enterprise Public Key Infrastructure (PKI) and Identity Provider (IdP) Part 1, when selecting a PAM solution.

Test the PAM solution:

• Ensure the PAM solution meets the Enterprise and/or Component requirements
• Ensure the PAM solution integrates with the Component environment.

Configure PAM to manage a diverse range of credentials from authoritative sources:

• Configure PAM to control access to privileged access for the identified applications/services, leveraging a secure credential vault.
• Configure policies, roles, and access controls.
• Configure limited User/PE account permissions to those required to perform their job.

Plan the migration for integration into existing and legacy systems:

• Develop a migration plan that includes timelines, resources, and steps for migrating each application/service to PAM.
• Prioritize applications based on criticality and risk.

Integrate each application/service with the PAM solution:

• Implement a phased approach deployment, leveraging the Component-defined priorities, to integrate applications/services with the PAM solution.
• Leverage Identity, Credential, and Access Management (ICAM) capabilities for seamless integration and complete identity governance and access control policies.

Manage exceptions:

• Applications/services that do not support PAM are:
  • Identified
  • Documented
  • Approved or Rejected
• Approval is granted when justification for the exception outweighs the risks to the Enterprise/Component.
• The Enterprise and/or Component determine risks.
• Approval is periodically reassessed.

Verify and validate the PAM solution:

• Test the integration to ensure that privileged access is managed correctly.
• Verify and validate that the PAM solution is functioning as expected and access controls are enforced.

Verify and validate logging:

• Verify and validate that the PAM solution can provide detailed logs for the Security Information and Event Management (SIEM)/Security Orchestration, Automation, and Response (SOAR), and/or Artificial Intelligence/Machine Learning (AI/ML) to utilize.
  • Log standardization, from Activity 7.1.2 (Phase One) – Log Parsing.
  • SIEM log detail requirements, from Activity 7.2.4 (Phase One) – Asset ID and Alert Correlation.
  • AI/ML integration, from Activity 7.3.2 (Phase Two) – Establish User Baseline Behavior.

Monitor and audit:

• Continuously monitor the PAM solution to ensure privileged access is managed securely.
• Perform regular audits to verify and validate compliance with security policies.

Review inventory:

• Obtain and review the inventory of applications and services that require privileged access.
• Ensure the inventory includes application names, types, privileged accounts, and current access methods.

Leverage the Component PAM solution:

• Leverage the Component PAM solution, from Activity 1.4.1 (Phase One) – Implement System and Migrate Privileged Users Part 1.

Plan the migration:

• Develop a migration plan that includes timelines, resources, and steps for migrating each application/service to PAM.
• Prioritize applications based on criticality and risk.

Integrate applications/services:

• Integrate each application/service with the PAM solution.
• Configure the application to use the PAM solution for authentication and access control.

Test, verify, and validate:

• Test the integration to ensure that privileged access is managed correctly.
• Verify and validate that the PAM solution is functioning as expected and that access controls are enforced.

Monitor and audit:

• Continuously monitor the PAM solution to ensure privileged access is managed securely.
• Perform regular audits to verify and validate compliance with security policies.

Identify unsupported applications/services:

• Review the inventory of applications and services to identify those not currently supported by the PAM solution.

Assess risks:

• Conduct a risk assessment to understand the potential security risks of managing these applications and services outside the PAM solution.

Develop a proposal:

• Develop a proposal outlining the need to manage unsupported applications and services.
• Identify what risks are involved.
• Identify compensating controls to be implemented.

Seek approval:

• Present the proposal to relevant stakeholders to obtain approval.

Implement compensating controls:

• Implement identified compensating controls to mitigate the risks associated with managing unsupported applications and services.
• Implement monitoring, logging, and access controls.

Document and monitor:

• Document the approval process.
• Document compensating control implemented.
• Verify and validate continuous monitoring of applications and services to ensure the implemented controls are effective.

Request for exception or decommission:

• System owners request exceptions for the applications/services that cannot be integrated into the PAM solution.
• Manage exceptions based on established risk methodologies.
• Migrate applications/services that cannot be integrated into the PAM solution or are not eligible to be decommissioned.

Identify privileged accounts:

• Consolidate privileged accounts and secure access rights safely for centralized management.

Audit the PAM system:

• Enforce the separation of duties principle to restrict admin access privileges from PAM system monitoring and audit capabilities, requiring a set of separate credentials for each mission task.
• Deploy PAM in conjunction with Multi-Factor Authentication (MFA) to add an extra layer of protection, requiring Users/Person Entities (PEs) to provide additional verification and validation.

Continuous authentication:

• Apply risk-based authentication decisions and mechanisms to assess login attempts and access requests based on user behavior and device posture.

Implement Least Privilege:

• Audit all privileged access processes and solutions to set a Least Privilege baseline.
• Restrict privileged accounts to specific personnel or roles to prevent day-to-day Users/PEs from accessing privileged functions or information.

Implement Just-in-Time (JIT):

• Employ JIT access control methods to grant privileges to controlled resources only for predetermined periods of time on an as-needed basis.

Test, verify, and validate:

• Test the integration to ensure that privileged access is managed according to policy.
• Verify and validate that the PAM solution is functioning as expected and that access controls are enforced.

Monitor and audit:

• Continuously monitor the PAM solution to ensure privileged access is managed securely.
• Perform regular audits to verify and validate compliance with security policies.

Lifecycle management of privileged/non-privileged Users/PEs:

• Identify and implement an approved Identity Provider (IdP) that supports the full identity lifecycle, including provisioning, access changes, and deprovisioning.
• Define the criteria for where Users/PEs are added, modified, and/or removed from the IdP. At a minimum, this should include:
  • Onboarding: Role assignment, access provisioning, and initial IdP registration.
  • Role/job changes: Role-based access updates and system privilege adjustments.
  • Offboarding: Timely account disablement/removal and revocation of privileges and credentials.
• Define and document a risk-based exception process for Users/PEs who cannot be integrated into the IdP, including criteria for exception eligibility, approval process, and oversight mechanisms.

Migrate Users/PEs:

• Develop and implement a phased migration plan to onboard all eligible Users/PEs into the IdP, prioritizing privileged Users/PEs and high-risk roles.
• Verify and validate accurate mapping of user accounts to roles, access rights, and organizational structures.

Manage exceptions:

• Users/PEs outside the standard ILM process are:
  • Identified
  • Documented
  • Approved or Rejected
• Approval is granted when justification for the exception outweighs the risks to the Enterprise/Component.
• The Enterprise and/or Component determine and document risks associated with each exception.
• Approval is periodically reassessed and documented on a scheduled basis.

Conduct periodic assessments:

• Leverage the ILM process to periodically review the status of all Users/PEs, focusing on:
  • Role-based changes that require access adjustment.
  • Accounts eligible for deactivation or deletion due to inactivity or separation.
• Reassess and reauthorize exceptions based on their current justification, risk posture, and any changes to system architecture or user roles. The frequency of verification and validation should be proportionate to the risks associated with their role, access, and any other factors deemed relevant to the Enterprise or Component.
• Maintain logs and audit documentation of all reviews, approvals, and changes for compliance verification.

Verify and validate:

• At least annually, the Component should verify and validate the ILM process:
  • Aligns with current Enterprise policy and guidance.
  • Supports secure and accurate identity lifecycle operations.
  • Includes effective exception and deprovisioning mechanisms.
• Confirm that responsible teams and stakeholders understand the ILM process and are effectively implementing ILM activities. For example:
  • The ILM process is understood and implemented by responsible parties within the Component.
  • Users/PEs moving to a new role within the Component have their accounts modified as necessary within the IdP.
  • Users/PEs with an IdP exception are reassessed to ensure the original justification for the exception is relevant and the Component is managing most of its Users/PEs within the IdP.

Define requirements and policies:

• Leverage previously established requirements and policies to further develop policies supporting automation.

Expand ILM process scope and goals:

• Incorporate new automation requirements into the existing ILM. Include processes that support Just-in-Time (JIT) to automatically revoke access to Data, Applications, Assets, and Services (DAAS) as needed.

Conduct a current state analysis of the existing ILM:

• Develop an assessment plan to evaluate compliance requirements for existing data sources, Identity Management (IdM) systems, access control policies, and credential management in accordance with the Enterprise ICAM established policy.
• Review data flow security requirements between different elements and the Enterprise ICAM system, including identity repositories, User/Person Entity (PE) interfaces, and third-party access portals.

Facilitate system deployment and data migration to the Enterprise ICAM platform:

• Integrate, configure, and update the approved ILM solution to functionally integrate with the Enterprise ICAM platform.
• Review, verify, and validate the functional, performance, and system integration acceptance requirements to ensure the deployment of all functionalities against defined requirements and expected outcomes.

Enforce access control and a secure integration design architecture:

• Leverage data encryption and existing protection mechanisms to safeguard the integrity of DAAS during data exchange across all platforms.
• Adopt Application Programming Interface (API) integration and adhere to all relevant and applicable security standards (e.g., National Institute of Standards and Technology (NIST), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), etc.) and protocols while connecting to existing credential repositories, identity storages, applications, and databases.

Select ICAM solutions:

• Select ICAM solutions that support automation and integration.
• Ensure the ICAM solutions integrate seamlessly with existing systems and applications within the Component.
• Ensure integration with MFA, from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP).

Provisioning:

• Automate the creation of identities, attributes, groups, credentials, and permissions.

Management:

• Implement automated processes for managing changes to these elements (e.g., role change, attribute updates, group memberships, etc.).

De-provisioning:

• Automate the removal of identities, attributes, groups, credentials, and permissions when no longer needed.

Manage Exceptions:

• Users/PEs outside the standard ILM process are:
  • Identified
  • Documented
  • Approved or rejected
• Risks are determined by the Enterprise and/or Component.
• Approval is granted when justification for the exception outweighs the risks to the Enterprise/Component.
• Approvals are periodically reassessed.

Enable continuous system performance testing capability to support activity verification and validation:

• Conduct routine and regular performance testing to ensure seamless integration, security, and functionality compliance.
• Enable reporting and monitoring built-in capabilities to audit repositories, data access, and centralized identity database activities.

Define baseline User/Person Entity (PE)/Non-Person Entity (NPE) behavior:

• Leverage Activity 7.2.5 (Phase Two) – User and Device Baselines.
• Leverage Activity 7.3.2 (Phase Two) – Establish User Baseline Behavior.
• Define behavior deviation thresholds.
• Configure behavioral analytic rules to detect anomalies and potential security threats, such as:
  • Unusual login locations
  • Impossible travel activity
  • Excessive access requests

Requirements, objectives, and risks:

• Determine the specific requirements for UEBA and UAM solutions.
• Define the objectives for implementing UEBA and UAM, such as detecting insider threats, monitoring User/PE activities and accounts, and ensuring compliance.

Select UEBA and UAM solutions:

• Select UEBA and UAM solutions that support integration with the Enterprise IdP, from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP), and existing systems (e.g., SIEM, IAM, Data Loss Prevention (DLP) systems, etc.).

Evaluate UEBA/UAM solutions:

• Assess various UEBA solutions based on features, integration capabilities, and compatibility with the existing infrastructure.
• Assess UAM solutions based on the ability to provide comprehensive monitoring and reporting capabilities, and integration with UEBA solutions.
• Verify and validate that the UEBA/UAM solutions integrate with existing systems.

Deploy and configure UEBA solutions:

• Deploy the selected UEBA solution into the Component environment(s).
• Configure the UEBA solution to collect data from necessary elements such as endpoints, network devices, servers, applications, and cloud services.
• Implement anomaly detection algorithms to identify deviations from baseline behavior.
• Integrate the UEBA solution with existing systems.

Deploy and configure the UAM solution:

• Deploy the selected UAM solution into the Component environment(s).
• Configure the UAM solution to monitor User/PE activities, including keystrokes, screen captures, and application usage.
• Determine which User/PE and resource attributes are required for the Enterprise by conducting a comprehensive inventory and characterizing Users/PEs, resources, and the User’s/PE’s ability to protect the data.
• Create detailed monitoring policies based on User/PE roles, attributes, and application requirements.
• Define and implement access control policies based on roles and attributes.
• Define policies for acceptable and unacceptable behavior based on the Enterprise guidelines.
• Ensure the UAM solution integrates seamlessly with the UEBA solution to provide comprehensive monitoring and analytics.

Verify and validate:

• Ensure that the UEBA and UAM solutions integrate as expected with existing services/systems by verifying and validating the UEBA and UAM solutions:
  • Receive the necessary information in the supported formats from other devices.
  • Provide the necessary information to other systems/services in a supported format.
• Demonstrate the UEBA and UAM solutions function as expected by performing simulations of anomalous behavior with the intent of triggering UEBA and UAM-defined actions.

Continuous monitoring and analytics:

• Utilize the UEBA and UAM solutions to monitor User/PE and entity activities continuously.
• Collect logs and telemetry data from endpoints, network devices, and applications.
• Implement real-time analytics to detect anomalies and potential security threats.
• Configure automated response actions to isolate or remediate threats in real-time.

Monitor and audit:

• Monitor the UEBA and UAM solutions continuously to ensure they function as expected.
• Periodically verify and validate the solutions to ensure that the UEBA and UAM solutions continue to behave as expected and continue to comply with security policies as the environments change over time.
• The frequency with which the UEBA and UAM solutions should be reevaluated will depend on the nature of the Component’s mission and operational requirements. It is strongly recommended that the reassessment be done at an interval no longer than annually.

Identify data:

• Leverage the data inventory, from Activity 4.1.1 (Discovery) – Data Analysis.

Identify applications/services:

• Leverage the application/code inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification.

Identify assets:

• Leverage the device inventory, from Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis.

Identify Users/PEs:

• Leverage the Master User Record, from Activity 1.1.1 (Discovery) – Inventory User.

Identify authorization source(s):

• Leverage the authorization sources, from Activity 1.1.1 (Discovery) – Inventory User; or
• Leverage the organizational Identify Provider(s) (IdP(s)), from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP).

Document permissions:

• Document the existing permissions provisioned to Users/PEs through the Component authorization source(s).
  • If possible, leverage permissions and roles, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM).
• Identify permissions that can be attributed to roles rather than directly assigned to Users/PEs.
• Assess current permissions to determine the least necessary access Users/PEs or roles required to perform their assigned functions, to remove unnecessary privileges.
• Document the new permission baselines for all Users/PEs and roles.

Remove/delete excess permissions:

• Implement the new baseline permissions and assign roles as necessary to implement Least Privilege and Role-Based Access Control (RBAC) in accordance with the new Component-defined baselines.

Decommission static privileges:

• Leverage the IdP(s), from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP), to provide dynamic permission management for Users/PEs.
• Leverage the Component Identity Lifecycle Management (ILM) process, from Activity 1.5.1 (Phase One) – Organizational Identity Lifecycle Management (ILM), to minimize Users/PEs that are statically assigned permission/privileges.

Configure assets and applications to deny access:

• Leverage the identified DAAS and implement access controls that deny-by-default.
• Ensure the Component approved Users/PEs continue to have appropriate access in support of their role/job functions.

Conduct access assessment:

• Verify and validate that unauthenticated Users/PEs cannot access Component applications/resources.
• Verify and validate that authenticated Users/PEs cannot access Component applications/resources that are outside the scope of their permissions.

Continuously revise access controls:

• Organizational access rules can change for various reasons, including organizational changes, role changes, project changes, security updates, and the implementation of automated solutions.
• Continuously monitor User/PE permissions to align with the Organizational ILM plan.
• Continuously monitor Component applications/resources are effectively applying deny-by-default and access level restrictions in accordance with the permissions granted.

Authentication with MFA requires the following:

• Leverage the approved IdP and MFA, from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP).
• Ensure that all Component-managed resources enforce authentication at session initiation using a Common Access Card (CAC) or other approved MFA methods.
• Confirm Users/PEs and NPEs are included in the authentication policy, with authentication required for each session initiated.
• Configure session timeout and termination settings based on inactivity thresholds, in alignment with the Enterprise policy.

To verify and validate that authentication is met:

• Confirm that Enterprise and Component policies and procedures require session-based MFA for all Users/PEs, enforced through the approved IdP solution.
• Verify and validate the configuration of session timeout/termination policies for all access points, ensuring they are enforced across all systems and services.
• Demonstrate that a User/PE is required to authenticate when accessing a Component resource.
• Document findings and address gaps through policy, technical remediation, or exception tracking, as appropriate.

Security attributes and criticality levels:

• Identify relevant attributes, such as:
  • User/Person Entity (PE) role
  • Data sensitivity
  • Application/system criticality
  • Source location
  • Device/network context
• Collaborate with the Enterprise to obtain current directives and updated policies on vulnerability management.
• Define and categorize criticality levels (e.g., low, medium, high) for data, Users/PEs, systems, and access scenarios.

Establish/update authentication policies:

• Develop authentication policies based on criticality and context, specifying frequency and conditions for periodic reauthentication.
• Integrate MFA using the approved Identity Provider (IdP), from Activity 1.3.1 (Phase One) – Organizational Multi-Factor Authentication (MFA) and Identity Provider (IdP).
• Establish dynamic authentication policies that adjust based on the context of the access request.
• Establish policies that leverage time-based reauthentication intervals, to include periodicity attributes, in accordance with the criticality of access. For example:
  • The period of time allowed between User/PE reauthentication is shorter for critical resources.

Establish access control policies:

• Define access control policies based on roles and attributes. Access control mechanisms should consider granularity, reliability, availability, and the potential risks to the resource [6].
• Ensure alignment with reauthentication policies and support for adaptive enforcement.

Identify/select solutions:

• Select Identity and Access Management (IAM) / Identity, Credential, and Access Management (ICAM) solutions that:
  • Are compliant with the Enterprise standards and integrate with existing systems.
  • Support context-aware and adaptive authentication.
  • Support continuous authentication.
  • Verify and validate User/PE identities throughout the sessions based on behavior, device posture, and other contextual factors.

Implement periodic authentication:

• Define reauthentication intervals based on criticality and session risk.
• Configure authentication to recur based on time, User/PE behavior, location changes, or sensitivity of accessed data.
• Apply dynamic reauthentication logic where appropriate.

Configure IAM/ICAM and MFA:

• Ensure all Users/PEs are enrolled in MFA and subject to periodic reauthentication.
• Configure IAM/ICAM to enforce authentication policies and manage User/PE sessions.
• Configure the MFA solution to prompt Users/PEs for reauthentication at defined intervals or when certain conditions are met (e.g., accessing sensitive data, changing network locations, etc.).

Implement and integrate:

• Integrate IAM/ICAM and MFA solutions with all relevant applications and services.
• Ensure consistent enforcement of authentication policies across all systems.
• Verify and validate system compatibility with dynamic and periodic reauthentication workflows.

Verification and validation actions:

• Demonstrate that Users/PEs are periodically authenticated in accordance with the defined frequency/conditions.
• Ensure MFA authentication is applied across defined resources.
• Verify and validate the authentication solution(s) successfully integrate with the IdP.
• Review and adjust policy and configurations based on testing, monitoring, and evolving risk conditions.

Establish Component policy and governance:

• Review Enterprise User/PE/NPE PKI CONOPS, taxonomy, and naming standards.
• Align Component policies with Enterprise standards.
• Document certificate use cases, volume projections, and types needed.
• Establish operational procedures for certificate lifecycle management.

Technical requirements analysis:

• Document integration requirements with Enterprise Root CA and IdP.
• Define hardware/software requirements and security standards.
  • Example: Cryptographic specifications (Secure Hash Algorithm (SHA)-256 minimum, 2048-bit Rivest-Shamir-Adleman (RSA) keys).

Transition assessment:

• Perform gap analysis between Component IdP/Multi-Factor Authentication (MFA) and Enterprise offerings.
• Identify if the Component IdP solution can integrate with the Enterprise IdP solution.
• Identify technologies that cannot transition to the Enterprise solution(s).
• Develop a migration plan with a timeline and resource requirements.
• Create remediation strategy for non-compatible systems (decommission, exception).

Architecture and policy development:

• Align to Enterprise PKI hierarchy.
• Design subordinate CA hierarchy and IdP federation architecture.
• Review and adopt Certificate Policies (CP) and Certification Practice Statement (CPS).
• Review and align to Enterprise certificate profile.
• Establish key management and certificate verification and validation policies.
  • Example: Validity periods by certificate type (for example: User/PE: 1 year, NPE: 2 years).

Security framework:

• Design physical/logical security controls and access management.
• Determine key storage mechanisms (HSM implementation).
• Establish audit logging, monitoring, and Incident Response (IR) procedures.

Review and establish Component-level key management strategy:

• Review and define key generation.
• Review and define key storage, retrieval, and recovery.
• Review and define key lifecycle management.

Adopt a phased PKI deployment:

• Review Enterprise certificate enrollment guidelines (e.g., renewal, revocation, etc.).
• Review and establish PKI-based security controls (e.g., CA servers, HSM, etc.).
• Verify and validate PKI Interoperability across systems.

Environment setup and functional testing:

• Create a test PKI infrastructure with Enterprise Root CA connectivity.
• Configure certificate templates and enrollment processes.
• Test certificate issuance, revocation, and IdP integration.

Integration testing:

• Verify and validate interoperability with applications and services.
• Test certificate deployment to end entities.
• Verify and validate IdP federation and attribute validation.
  • Example: Federation protocol verification (Security Assertion Markup Language (SAML), Open Authorization (OAuth), OpenID Connect (OIDC)).
• Test integration with Automation and Orchestration and Visibility and Analytics pillar solutions.

Infrastructure and CA installation:

• Deploy and secure subordinate CA hardware/software.
• Request and install subordinate CA certificate from Enterprise root CA.
• Configure CRL/Online Certificate Status Protocol (OCSP) infrastructure and certificate templates.
• Implement IdP federation with standardized attributes.

Pilot deployment:

• Issue certificates to limited User/PE group.
• Test IdP federation with pilot Users/PEs.
• Gather feedback and adjust configurations.
  • Example: User/PE experience testing with certificate enrollment workflow.
• Integrate with Automation and Orchestration and Visibility and Analytics pillar solutions.

Performance and security testing:

• Verify and validate certificate processes and IdP federation in production.
• Monitor system metrics and verify and validate security controls.
• Test disaster recovery and business continuity procedures.
  • Example: Recovery Time Objective (RTO) verification for CA restoration.

System and application integration:

• Verify and validate certificate chain and path discovery.
• Test trust relationships across organizational boundaries.
• Verify and validate application functionality with issued certificates.
• Ensure compliance with Enterprise PKI and IdP requirements.

Establish continuous PKI testing, verification, and validation:

• Conduct regular security assessments and penetration testing.
• Ensure logging and monitoring of PKI activities are captured and ingested by Automation and Orchestration and Visibility and Analytics pillar solutions.
• Verify and validate adherence to Enterprise policies and standards.
• Review certificate profiles and template configurations.
• Maintain IdP federation and attribute standardization.
  • Example: Quarterly certificate policy compliance verification and validation checklist.