Ansible Tower - Identification and Authentication

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
IA-1 Identification And Authentication Policy And Procedures

not applicable

IA-2 Identification And Authentication (Organizational Users)

not applicable

IA-2 (1) Network Access To Privileged Accounts

planned

IA-2 (2) Network Access To Non-Privileged Accounts
IA-2 (3) Local Access To Privileged Accounts
IA-2 (4) Local Access To Non-Privileged Accounts
IA-2 (5) Group Authentication
IA-2 (6) Network Access To Privileged Accounts - Separate Device
IA-2 (7) Network Access To Non-Privileged Accounts - Separate Device
IA-2 (8) Network Access To Privileged Accounts - Replay Resistant
IA-2 (9) Network Access To Non-Privileged Accounts - Replay Resistant
IA-2 (10) Single Sign-On
IA-2 (11) Remote Access - Separate Device
IA-2 (12) Acceptance Of Piv Credentials

planned

IA-2 (13) Out-Of-Band Authentication
IA-3 Device Identification And Authentication
IA-3 (1) Cryptographic Bidirectional Authentication
IA-3 (2) Cryptographic Bidirectional Network Authentication
IA-3 (3) Dynamic Address Allocation
IA-3 (4) Device Attestation
IA-4 Identifier Management

not applicable

IA-4 (1) Prohibit Account Identifiers As Public Identifiers
IA-4 (2) Supervisor Authorization
IA-4 (3) Multiple Forms Of Certification
IA-4 (4) Identify User Status
IA-4 (5) Dynamic Management
IA-4 (6) Cross-Organization Management
IA-4 (7) In-Person Registration
IA-5 Authenticator Management

complete

IA-5 (1) Password-Based Authentication

complete

IA-5 (2) Pki-Based Authentication
IA-5 (3) In-Person Or Trusted Third-Party Registration
IA-5 (4) Automated Support For Password Strength Determination
IA-5 (5) Change Authenticators Prior To Delivery
IA-5 (6) Protection Of Authenticators
IA-5 (7) No Embedded Unencrypted Static Authenticators
IA-5 (8) Multiple Information System Accounts
IA-5 (9) Cross-Organization Credential Management
IA-5 (10) Dynamic Credential Association
IA-5 (11) Hardware Token-Based Authentication

not applicable

IA-5 (12) Biometric-Based Authentication
IA-5 (13) Expiration Of Cached Authenticators
IA-5 (14) Managing Content Of Pki Trust Stores
IA-5 (15) Ficam-Approved Products And Services
IA-6 Authenticator Feedback

complete

IA-7 Cryptographic Module Authentication
IA-8 Identification And Authentication (Non-Organizational Users)

not applicable

IA-8 (1) Acceptance Of Piv Credentials From Other Agencies

planned

IA-8 (2) Acceptance Of Third-Party Credentials

not applicable

IA-8 (3) Use Of Ficam-Approved Products

not applicable

IA-8 (4) Use Of Ficam-Issued Profiles

not applicable

IA-8 (5) Acceptance Of Piv-I Credentials
IA-9 Service Identification And Authentication
IA-9 (1) Information Exchange
IA-9 (2) Transmission Of Decisions
IA-10 Adaptive Identification And Authentication
IA-11 Re-Authentication



IA-1: Identification And Authentication Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency].

IA-1 Control Response Information
Implementation Status:

not applicable

IA-1: What is the solution and how is it implemented?



IA-2: Identification And Authentication (Organizational Users)

“The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).”

IA-2 Control Response Information
Implementation Status:

not applicable

IA-2: What is the solution and how is it implemented?

‘Ansible Tower does not have the capability to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

To satisfy this control an external authentication service, such as Red Hat IdM, must be used. This control is not applicable to Ansible Tower when an external authentication service is used.’




IA-2 (1): Network Access To Privileged Accounts

“The information system implements multifactor authentication for network access to privileged accounts.”

IA-2 (1) Control Response Information
Implementation Status:

planned

IA-2 (1): What is the solution and how is it implemented?

‘The customer will be responsible for implementing multifactor authentication for network access to privileged accounts.

A successful control response will need to address all network- accessible privileged account types and the means by which multifactor authentication is enforced for each.

Documentation/guidance is being tracked through GitHub: https://github.com/ComplianceAsCode/redhat/issues/305’




IA-2 (2): Network Access To Non-Privileged Accounts

“The information system implements multifactor authentication for network access to non-privileged accounts.”

IA-2 (2) Control Response Information
Implementation Status: