Does your organization implement periodic reauthentication requirements for users, services, and hardware based on risk levels, particularly in zero trust architectures?
Explanation
Periodic reauthentication helps verify that the entity accessing resources is still the authorized entity, reducing the risk of compromised credentials or unauthorized access. This control is especially important in zero trust architectures where continuous verification is a core principle.
Examples include requiring users to re-enter credentials after a period of inactivity, services to refresh authentication tokens regularly, and hardware devices to periodically validate their identity through certificates or other mechanisms.
Evidence of fulfillment could include a documented reauthentication policy that defines different reauthentication frequencies based on risk levels, system configuration screenshots showing timeout settings, authentication logs demonstrating periodic reauthentication events, or identity provider settings that enforce token expiration and renewal requirements.
Implementation Example
Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)
ID: PR.AA-03.202
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Users, services, and hardware are authenticated
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

