CAF Outcome B2.a: Identity Verification, Authentication and Authorisation

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B2.a: Identity Verification, Authentication and Authorisation to CSF mappings generated from UK Cabinet Office table.

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Authorization enforcement (SR 2.1)
    ISA/IEC 62443-3-3:2013
  • Session lock (SR 2.5)
    ISA/IEC 62443-3-3:2013
  • Use control for portable and mobile devices (SR 2.3)
    ISA/IEC 62443-3-3:2013
  • Wireless access management (SR 1.6)
    ISA/IEC 62443-3-3:2013
  • Session integrity (SR 3.8)
    ISA/IEC 62443-3-3:2013
  • Authenticator management (SR 1.5)
    ISA/IEC 62443-3-3:2013
  • Identifier management (SR 1.4)
    ISA/IEC 62443-3-3:2013
  • Access via untrusted networks (SR 1.13)
    ISA/IEC 62443-3-3:2013
  • Human User Identification and Authentication (SR 1.1)
    ISA/IEC 62443-3-3:2013
  • Software process and device identification and authentication (SR 1.2)
    ISA/IEC 62443-3-3:2013
  • Wireless use control (SR 2.2)
    ISA/IEC 62443-3-3:2013
  • Authenticate all remote users at the appropriate level (4.3.3.6.5)
    ISA/IEC 62443-2-1:2009
  • Identify individuals (4.3.3.5.2)
    ISA/IEC 62443-2-1:2009
  • Suspend or remove unneeded accounts (4.3.3.5.5)
    ISA/IEC 62443-2-1:2009
  • Employ multiple authorization methods for critical IACS (4.3.3.7.4)
    ISA/IEC 62443-2-1:2009
  • Employ authentication for task-to task communication (4.3.3.6.9)
    ISA/IEC 62443-2-1:2009
  • Require strong authentication methods for system administration and application configuration (4.3.3.6.3)
    ISA/IEC 62443-2-1:2009
  • Audit account administration (4.3.3.5.8)
    ISA/IEC 62443-2-1:2009
  • Authenticate all users before system use (4.3.3.6.2)
    ISA/IEC 62443-2-1:2009
  • Review account permissions (4.3.3.5.6)
    ISA/IEC 62443-2-1:2009
  • Establish appropriate logical and physical permission methods to access IACS devices (4.3.3.7.2)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Access to networks and network services (9.1.2)
    ISO 27001:2013
  • Information access restriction (9.4.1)
    ISO 27001:2013
  • Secure log-on procedures (9.4.2)
    ISO 27001:2013
  • Network controls (13.1.1)
    ISO 27001:2013
  • Review of user access rights (9.2.5)
    ISO 27001:2013
  • Physical entry controls (11.1.2)
    ISO 27001:2013
  • Securing offices, rooms, and facilities (11.1.3)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.