FedRAMP Control Explorer

IA-11 Re-authentication

Control

Require users to re-authenticate when [Assignment: organization-defined circumstances or situations].
Guidance:

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

  • AAL3 (high baseline) * 12 hours or * 15 minutes of inactivity

Discussion

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

FedRAMP-Defined Assignment / Selection Parameters

N/A