Content library
C2M2: MIL1
ACCESS-1: Establish Identities and Manage Authentication

Requirement description

MIL1 requirements
a. Identities are provisioned, at least in an ad hoc manner, for personnel and other entities such as services and devices that require access to assets (note that this does not preclude shared identities)
b. Credentials (such as passwords, smartcards, certificates, and keys) are issued for personnel and other entities that require access to assets, at least in an ad hoc manner
c. Identities are deprovisioned, at least in an ad hoc manner, when no longer required

MIL2 requirements
d. Password strength and reuse restrictions are defined and enforced
e. Identity repositories are reviewed and updated periodically and according to defined triggers, such as system changes and changes to organizational structure
f. Identities are deprovisioned within organization-defined time thresholds when no longer required
g. The use of privileged credentials is limited to processes for which they are required
h. Stronger credentials, multifactor authentication, or single use credentials are required for higher risk access (such as privileged accounts, service accounts, shared accounts, and remote access)

MIL3 requirements
i. Multifactor authentication is required for all access, where feasible
j. Identities are disabled after a defined period of inactivity, where feasible

How to fill the requirement

C2M2: MIL1

ACCESS-1: Establish Identities and Manage Authentication

Task name
Priority
Status
Theme
Policy
Other requirements
Avoiding and documenting shared user accounts
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
12
requirements

Examples of other requirements this task affects

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
32. Security of processing
GDPR
9.2.4: Management of secret authentication information of users
ISO 27001
TEK-08: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
5.16: Identity management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Avoiding and documenting shared user accounts
1. Task description

Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.

If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.

Descriptions of different access rights management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
10
requirements

Examples of other requirements this task affects

14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika
NIS2 Lithuania
ACCESS-1: Establish Identities and Manage Authentication
C2M2
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
4.5: Käyttöoikeuksien hallinta
TiHL tietoturvavaatimukset
4.2.1: Access Management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Descriptions of different access rights management processes
1. Task description

The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.

The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.

Authentication of identities and binding to user data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
10
requirements

Examples of other requirements this task affects

PR.AC-6: Proof of identity
NIST
ACCESS-1: Establish Identities and Manage Authentication
C2M2
4.1.3: Management of users in data systems
TISAX
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.
CyberFundamentals
PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Authentication of identities and binding to user data
1. Task description

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.