PR.AA-03 - Authenticating Users and Devices
PR.AA-03 mandates the authentication of users, services, and hardware to verify their identity before granting access to organizational assets. This can include multifactor authentication (MFA), strong password policies, or periodic re-authentication, particularly in high-risk environments like zero trust architectures. It ensures that only verified entities can operate within the system.
This subcategory bolsters security by enforcing robust authentication mechanisms tailored to risk levels, preventing unauthorized access even if credentials are compromised. It supports emergency access protocols to maintain safety-critical operations, balancing security with functionality. PR.AA-03 is a key defense against identity-based threats.
