IA-L2-3.5.2, rooted in NIST SP 800-171 Rev 2 requirement 3.5.2, mandates that every principal attempting access to an organizational system — whether a human user, an automated process acting on behalf of a user, or a physical or virtual device — must have its identity authenticated or verified before access is granted. Authentication is the process of verifying that a claimed identity is genuine, typically through something the principal knows, has, or is. This requirement applies across all access vectors including interactive logins, API calls made by service accounts, remote device connections, and machine-to-machine communications. The control directly supports the zero-trust principle that no entity is implicitly trusted, and it is a prerequisite to all access control decisions governed by the AC domain. Without verified identity, no access control policy can be meaningfully enforced, making this practice the keystone of the entire CMMC IA domain.
Where it stops · what it isn't
- —This practice does not specify the strength or type of authenticator required — that is addressed by IA-L2-3.5.3 (multifactor authentication) and IA-L2-3.5.7 (password complexity)
- —This practice does not cover the management lifecycle of authenticators such as provisioning, rotation, or revocation — those are addressed by IA-L2-3.5.9, 3.5.10, and 3.5.11
- —This practice does not govern authorization decisions (what an authenticated principal may do) — authorization is addressed by the AC domain controls such as AC-L2-3.1.1
- —This practice does not mandate a specific authentication protocol (e.g., Kerberos, SAML, OAuth) as long as identity is verified before access
- —This practice does not apply to physical access controls to facilities, which fall outside the NIST SP 800-171 system boundary
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/identification-and-authentication