IA-11 Re-authentication
Control
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations].
Guidance:
The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:
- AAL3 (high baseline) * 12 hours or * 15 minutes of inactivity
Discussion
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.
FedRAMP-Defined Assignment / Selection Parameters
N/A