IA-2: Identification and Authentication (Organizational Users)

NIST Baseline: Low

Tarleton State University (Tarleton) users must be uniquely identified and authenticated before access is granted to an information resource as specified in Control AC-2, Account Management.
- As specified in Control AC-14, Permitted Actions Without Identification or Authentication, public websites, information kiosks, and other situations where risk analysis demonstrates no need for individual accountability of users are exempt.
Multifactor authentication (MFA) should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.
MFA is required for any information resource that stores or processes confidential data, as required by Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security, or critical data.