PR.AA-03.202

Does your organization implement periodic reauthentication requirements for users, services, and hardware based on risk levels, particularly in zero trust architectures?

Explanation

Periodic reauthentication helps verify that the entity accessing resources is still the authorized entity, reducing the risk of compromised credentials or unauthorized access. This control is especially important in zero trust architectures where continuous verification is a core principle. Examples include requiring users to re-enter credentials after a period of inactivity, services to refresh authentication tokens regularly, and hardware devices to periodically validate their identity through certificates or other mechanisms. Evidence of fulfillment could include a documented reauthentication policy that defines different reauthentication frequencies based on risk levels, system configuration screenshots showing timeout settings, authentication logs demonstrating periodic reauthentication events, or identity provider settings that enforce token expiration and renewal requirements.

Implementation Example

Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)

ID: PR.AA-03.202

Context

Function
PR: PROTECT
Category
PR.AA: Identity Management, Authentication, and Access Control
Sub-Category
Users, services, and hardware are authenticated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron