NIST CSF: PR.AC-7 Subcategory
From NIST's Cyber Security Framework (version 1):
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Secure log-on procedures (9.4.2)
ISO 27001:2013 -
Management of secret authentication information of users (9.2.4)
ISO 27001:2013 -
Use of secret authentication information (9.3.1)
ISO 27001:2013 -
Privacy and protection of personally identifiable information (18.1.4)
ISO 27001:2013 -
Password management system (9.4.3)
ISO 27001:2013 -
User registration and de-registration (9.2.1)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Authenticate all users before system use (4.3.3.6.2)
ISA/IEC 62443-2-1:2009 -
Require strong authentication methods for system administration and application configuration (4.3.3.6.3)
ISA/IEC 62443-2-1:2009 -
Authenticate all remote users at the appropriate level (4.3.3.6.5)
ISA/IEC 62443-2-1:2009 -
Develop a policy for remote login and connections (4.3.3.6.6)
ISA/IEC 62443-2-1:2009 -
Public key infrastructure (PKI) certificates (SR 1.8)
ISA/IEC 62443-3-3:2013 -
Log and review all access attempts to critical systems (4.3.3.6.4)
ISA/IEC 62443-2-1:2009 -
Strength of password-based authentication (SR 1.7)
ISA/IEC 62443-3-3:2013 -
Disable access account after failed remote login attempts (4.3.3.6.7)
ISA/IEC 62443-2-1:2009 -
Authenticator feedback (SR 1.10)
ISA/IEC 62443-3-3:2013 -
Develop an authentication strategy (4.3.3.6.1)
ISA/IEC 62443-2-1:2009 -
Human User Identification and Authentication (SR 1.1)
ISA/IEC 62443-3-3:2013 -
Require re-authentication after remote system inactivity (4.3.3.6.8)
ISA/IEC 62443-2-1:2009 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
Software process and device identification and authentication (SR 1.2)
ISA/IEC 62443-3-3:2013 -
Employ authentication for task-to task communication (4.3.3.6.9)
ISA/IEC 62443-2-1:2009 -
Strength of public key authentication (SR 1.9)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1552 | Unsecured Credentials | Credential Access |
| T1213.002 | Sharepoint | Collection |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1213.001 | Confluence | Collection |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1110.001 | Password Guessing | Credential Access |
| T1110 | Brute Force | Credential Access |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1530 | Data from Cloud Storage | Collection |
| T1110.002 | Password Cracking | Credential Access |
| T1021.005 | VNC | Lateral Movement |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1528 | Steal Application Access Token | Credential Access |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1562 | Impair Defenses | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1602 | Data from Configuration Repository | Collection |
| T1110.004 | Credential Stuffing | Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1213 | Data from Information Repositories | Collection |
| T1110.003 | Password Spraying | Credential Access |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1137.002 | Office Test | Persistence |
| T1185 | Browser Session Hijacking | Collection |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1505.005 | Terminal Services DLL | Persistence |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1558.001 | Golden Ticket | Credential Access |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1555.001 | Keychain | Credential Access |
| T1555.005 | Password Managers | Credential Access |
| T1021 | Remote Services | Lateral Movement |
| T1558.003 | Kerberoasting | Credential Access |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1552.004 | Private Keys | Credential Access |
| T1114 | Email Collection | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1003.004 | LSA Secrets | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1136.001 | Local Account | Persistence |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1552.002 | Credentials in Registry | Credential Access |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1555.004 | Windows Credential Manager | Credential Access |
| T1003.007 | Proc Filesystem | Credential Access |
| T1558.002 | Silver Ticket | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1114.002 | Remote Email Collection | Collection |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1556.005 | Reversible Encryption | Credential Access, Defense Evasion, Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1555.002 | Securityd Memory | Credential Access |
| T1555 | Credentials from Password Stores | Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1136 | Create Account | Persistence |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1601 | Modify System Image | Defense Evasion |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1136.003 | Cloud Account | Persistence |
| T1021.004 | SSH | Lateral Movement |
| T1136.002 | Domain Account | Persistence |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1199 | Trusted Relationship | Initial Access |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1059.002 | AppleScript | Execution |
| T1059 | Command and Scripting Interpreter | Execution |
| T1525 | Implant Internal Image | Persistence |
| T1036 | Masquerading | Defense Evasion |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1554 | Compromise Client Software Binary | Persistence |
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1566.002 | Spearphishing Link | Initial Access |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1059.001 | PowerShell | Execution |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1598.002 | Spearphishing Attachment | Reconnaissance |
| T1566 | Phishing | Initial Access |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1598 | Phishing for Information | Reconnaissance |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1087.004 | Cloud Account | Discovery |
| T1218.007 | Msiexec | Defense Evasion |
| T1489 | Service Stop | Impact |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1036.007 | Double File Extension | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1538 | Cloud Service Dashboard | Discovery |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1613 | Container and Resource Discovery | Discovery |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1552.007 | Container API | Credential Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1495 | Firmware Corruption | Impact |
| T1569 | System Services | Execution |
| T1611 | Escape to Host | Privilege Escalation |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1569.001 | Launchctl | Execution |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1585.003 | Cloud Accounts | Resource Development |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1559.001 | Component Object Model | Execution |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1059.008 | Network Device CLI | Execution |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1569.002 | Service Execution | Execution |
| T1648 | Serverless Execution | Execution |
| T1586.003 | Cloud Accounts | Resource Development |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1505 | Server Software Component | Persistence |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1505.004 | IIS Components | Persistence |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B2.a | Identity Verification, Authentication and Authorisation | You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function. |
| B2.b | Device Management | You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function. |
| B4.c | Secure Management | You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security. |
| B2.c | Privileged User Management | You closely manage privileged user access to networks and information systems supporting the essential function. |
| B3.c | Stored Data | You have protected stored data important to the operation of the essential function. |
| B2.d | Identity and Access Management (IdAM) | You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function. |