E authentication template 050212

eAuthentication Plan Template<Information System Name>, <Date> eAuthentication Template <Vendor Name> <Information System Name> Version 1.0 May2, 2012 Proprietary and Confidential For Authorized Use Only

eAuthentication Plan Template<Information System Name>, <Date> Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP OfficeCompany Sensitive and Proprietary Page 2

eAuthentication Plan Template<Information System Name>, <Date> Table of ContentsAbout this document .....................................................................................................................................................5 Who should use this document? .....................................................................................................................5 How this document is organized .....................................................................................................................5 Conventions used in this document ................................................................................................................5 How to contact us............................................................................................................................................61. INFORMATION SYSTEM NAME/TITLE ...............................................................................................................72. EAUTHENTICATION LEVEL DEFINITIONS ...........................................................................................................73. HOW TO SELECT YOUR EAUTHENTICATION LEVEL ............................................................................................84. EAUTHENTICATION LEVEL SELECTION ..............................................................................................................8Company Sensitive and Proprietary Page 3

eAuthentication Plan Template<Information System Name>, <Date> List of TablesTable 1-1. Information System Name and Title..............................................................................................................7Table 3-1 Potential Impacts for Assurance Levels ..........................................................................................................8Table 4-1. EAuthentication Level ...................................................................................................................................8Company Sensitive and Proprietary Page 4

eAuthentication Plan Template<Information System Name>, <Date>ABOUT THIS DOCUMENTThis document has been developed to provide guidance on how to participate in and understandthe FedRAMP program.Who should use this document?This document is intended to be used by Cloud Service Providers (CSPs), Third Party AssessorOrganizations (3PAOs), government contractors working on FedRAMP projects, governmentemployees working on FedRAMP projects, and any outside organizations that want to make useof the FedRAMP EAuthenticationrequirements.How this document is organizedThis document is divided into threesections.Section 1 identifies the information system.Section 2 describes the EAuthentication Levels.Section 3 describes how to determine the system EAuthentication Level.Section 4 states the EAuthentication Level selected for the information system.Conventions used in this documentThis document uses the following typographical conventions:ItalicItalics are used for email addresses, security control assignments parameters, and formaldocument names.Italic blue in a boxItalic blue text in a blue boxindicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template.BoldBold text indicates a parameter or an additional requirement.Constant widthConstant width text is used for text that is representative of characters that would show up on acomputer screen.<Brackets>Bold bluetext in brackets indicates text that should be replaced with user-defined values. OnceCompany Sensitive and Proprietary Page 5

eAuthentication Plan Template<Information System Name>, <Date>the text has been replaced, the brackets should be removed.Notes Notes are found between parallel lines and include additional information that may be helpfulto the users of this template. Note: This is a note.Sans SerifSans Serif text is used for tables, table captions, figure captions, and table of contents.How to contact usIf you have questions about FedRAMP or something in this document, please write to: info@fedramp.govFor more information about the FedRAMP project, please see the website at: http://www.fedramp.gov.Company Sensitive and Proprietary Page 6

eAuthentication Plan Template<Information System Name>, <Date>1. INFORMATION SYSTEM NAME/TITLEThis EAuthentication Plan provides an overview of the authentication level for the<Information System Name>(<Information System Abbreviation>) in accordance with OMBMemo M-04-04. Table 1-1. Information System Name and Title UniqueIdentifier Information System Name Information System Abbreviation2. EAUTHENTICATION LEVEL DEFINITIONSOMB Memo M-04-04, EAuthentication Guidance for Federal Agencies requires that federalinformation system owners determine the system’s electronic authentication (EAuthentication)requirements to minimize the potential impact of authentication errors and misuse of credentials.The OMB memo defines four authentication levels to categorize a federal information system’sEAuthentication posture. The OMB Memo defines four EAuthentication levels as: Level 1: Little or no confidence in the asserted identity’s validity Level 2: Some confidence in the asserted identity’s validity Level 3: High confidence in the asserted identity’s validity Level 4: Very high confidence in the asserted identity’s validity Note: OMB Memo M-04-04can be found at the following URL: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdfThe objective for selecting the appropriate EAuthentication level for the candidate system is sothat the system owner can then more easily proceed to select the right technology solution toimplement the designated level. Guidance on selecting the system authentication technologysolution is available in NIST SP 800-63, Revision 1, Electronic Authentication Guidance. Note: NIST SP 800-63, Revision 1 can be found at the following URL: http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdfCompany Sensitive and Proprietary Page 7

eAuthentication Plan Template<Information System Name>, <Date>3. HOW TO SELECT YOUR EAUTHENTICATION LEVELDetermine what the qualitative risk exposure would be to the authentication transaction processregardless of the technology used. Select the lowest level that will cover all potential impactidentified according the Table 3-1. Table 3-1. Potential Impacts for Assurance Levels Assurance Level Impact ProfileInconvenience, distress or damage to standing or reputation 1 2 3 4Financial loss or agency liability Low Mod Mod HighHarm to agency programs or public interests Low Mod Mod HighUnauthorized release of sensitive information N/A Low Mod HighPersonal Safety N/A N/A Low Mod, HighCivil or criminal violations N/A Low Mod High4. EAUTHENTICATION LEVEL SELECTION Instruction: Please use OMB Memo M-04-04 and NIST SP 800-63, Revision 1 to assist you in selecting an EAuthentication Level for the candidate system. Please note that FedRAMP does not currently perform assessments for systems categorized as High sensitivity.The<CSP> has identified that they support the EAuthentication Level that has been selected forthe <Information System Name> as noted in Table 4-1. The selected EAuthentication Levelindicated below is supported for federal agency consumers of the cloud service offering.Implementation details of the EAuthentication mechanisms are provided in the System SecurityPlan under control IA-2. Table 4-1.EAuthentication Level EAuthentication Level Maximum Impact Profile Selection Level 1: no identity proofing requirement Low Level 2: single factor remote authentication Low Level 3: multi-factor remote authentication Moderate Level 4: multi-factor remote authentication; hard crypto tokens HighCompany Sensitive and Proprietary Page 8

eAuthentication Plan Template<Information System Name>, <Date> [This page left intentionally blank.]Company Sensitive and Proprietary Page 9

E authentication template 050212

by Kevin Jackson

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics