Date: Fri, 29 Mar 2024 03:13:41 -0400 (EDT) Message-ID: <1676564287.865.1711696421378@ip-10-208-26-37.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_864_2124978387.1711696421369" ------=_Part_864_2124978387.1711696421369 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
E-Authentication risk assessments are used to define electronic assuranc= e levels (EAL) needed to ensure authentication processes are appropriate fo= r electronic transactions requiring authentication. The EALs also provide a= basis for assessing credential service providers (CSP) on behalf of federa= l agencies. Either the system owner or the business owner of a system is re= quired to complete the eAuth RA based on the criteria discussed below. The = final workbook must be approved by the IT System Owner (usually t= he federal business sponsor). The completed workbook must be updated i= f changes are made to the system that result in changes to previous e-Authe= ntication ratings.
The e-Authentication policy is found in the Office of Management and Bud= get Memo 04-04, E-Authentication Guidanc= e for Federal Agencies. Technology recommendations and guidance are dis= cussed in the National Institute of Standards and Technology (NIST) SP 800-= 63, Electronic Authentication Guideline.
On Step 1 (Tab 2) of the workbook, fill in the System Name, ISSO Nam= e, System Owner Name (Federal business owner), Date of Assessment, and Date= of Approval in the provided blanks. If you know your system's FISMA UUID y= ou can provide it; otherwise leave blank and this can be assigned later if = needed.
The Minimum Assurance Level box will be automatically filled in base= d on Step 2
Answer the three screening questions posed, which are:
If you answer YES to all 3 of these questions, then you mus= t proceed to Step 2 of the workbook and complete all required answers in St= ep 2. If you answered NO to any one of these 3 questions, then an eAut= h rating is not required and you can skip to Step 3.
On Step 2 (Tab 3) provide a response to each question by select= ing the appropriate impact levels for each of the 6 Impact areas using the = built-in dropdown menus (e.g, choosing between N/A, Low, Moderate, or High)=
Go to Step 3 (Tab 4) of the workbook to view the automatically = assigned e-Auth Level noted as the Minimum Assurance Level. These will rang= e from Level 1 to Level 4 based on the answers provided in Step 2. If you d= isagree with the final Level assigned by the tool, then you can re-evaluate= your responses to Step 2 and adjust them as needed.
Obtain system owner approval by having the federal business owner ap= prove on the provided signature line
Send a completed copy of the signed eAuth Workbook to the NCI ISSO a= t NCIIRM@nih.gov
The e-Authentication policy defines four assurance levels:
Each EAL allows one or more token types. More details on the diffe= rent tokens as well as various methods for proving identity are discussed i= n in NIST 800-63.
Token Type <= /th> | Level 1 |
Level 2 |
Level 3 |
Level 4 |
---|---|---|---|---|
Hard Crypto Token |
X |
X |
X |
X |
One-time password device |
X |
X |
X |
|
Soft Crypto Token |
X |
X |
X |
|
Passwords and PINs |
X |
X |
It is important to note that the E-Authentication guidance does not= apply to authorization. Authorization focuses on the actions permitted of = an identity after authentication has taken place. Decisions concerning auth= orization are and should remain the purview of the business process owner.<= /p>
Either form can be completed by the System Owner (contractor) or the Bus= iness Owner (Fed), but the appropriate completed form needs to be reviewed = and approved in writing by the system's designated ISSO and the designated = authorizing official (AO). The completed form is also maintained by the NCI= ISSO and must be updated if changes are made to the system that impact the= previous e-Auth ratings. Contact the NCI ISSO for help completing these fo= rms (nciirm@mail.nih.gov).