3.5.2 — Authenticate before access | NIST 800-171 Control

Verify identity before granting any access to the system.

What it actually means

Before anything reaches CUI, its identity is verified. Users authenticate through your identity provider; devices authenticate through MDM compliance and conditional access. No anonymous or unauthenticated access to the CUI environment.

Pass or fail — an assessor needs a "yes" to each

All access paths require authentication first.
Device authentication is enforced (compliant-device checks).
No anonymous access to CUI systems.

What to have ready

Identity-provider authentication settings
Conditional-access policies requiring authenticated, compliant devices

Where teams trip up

A path into the environment that skips authentication
Device authentication not enforced (any device can connect once a user logs in)

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.5.1 — You must identify before you can authenticate 3.5.3 — MFA strengthens authentication for privileged and network access

← Back to the Control Library