FedRAMP Control Explorer

Controls

Access Control

Assessment, Authorization, and Monitoring

Audit and Accountability

Awareness and Training

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Planning

Risk Assessment

Supply Chain Risk Management

System and Communications Protection

System and Information Integrity

System and Services Acquisition

IA-11 Re-authentication

Control

Require users to re-authenticate when [Assignment: organization-defined circumstances or situations].

Guidance:

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

AAL3 (high baseline) * 12 hours or * 15 minutes of inactivity

Discussion

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

FedRAMP-Defined Assignment / Selection Parameters

N/A