Quick-reference card
| Field | Value |
|---|---|
| Control ID | IA-11 |
| Control name | Re-authentication |
| Framework | NIST SP 800-53 Revision 5 |
| Control family | Identification and Authentication |
| Baselines | LOW MODERATE HIGH |
| Implementation level | Organization and System |
| Relevance | First Party and Third Party |
| Risk severity | Medium |
What this control requires
IA-11 requires organizations to force users to re-authenticate before continuing a session whenever security conditions change. That means your systems can’t treat a single login as a permanent trust decision. Sessions must be interrupted and credentials re-verified when roles change, privileges escalate, authenticator updates occur, or a defined time period expires.
In practice, this control goes beyond idle timeouts and device locks. It addresses the gap between initial authentication and ongoing trust, requiring organizations to treat identity verification as a continuous process rather than a one-time event. Organizations must define the specific circumstances that trigger re-authentication, such as accessing sensitive data repositories, executing privileged commands, or transitioning between security domains. These triggers must be documented, technically enforced, and auditable.
Without re-authentication policies, a compromised session token grants an attacker the same access the legitimate user had at login, potentially for hours. IA-11 closes that window by requiring systems to re-verify identity at high-risk moments, not just at the front door. This requirement applies across all three baselines, making it a universal expectation for any system operating under NIST SP 800-53.
Why it matters
Most organizations authenticate users once and then rely on session timeouts as their only re-verification mechanism. That approach leaves a wide gap between initial login and the moments when re-authentication actually matters, such as privilege escalation, role changes, or access to higher-sensitivity data.
Failure to maintain this control introduces audit risk and may result in certification withdrawal or regulatory findings. FedRAMP assessors and FISMA auditors specifically examine whether re-authentication triggers are defined, documented, and enforced across the Identification and Authentication control family. A missing or vague re-authentication policy creates a finding that can delay or block an authorization to operate (ATO).
Beyond compliance, the absence of re-authentication controls means that stolen session cookies or hijacked tokens provide uninterrupted access. An attacker who compromises a session doesn’t need to re-authenticate even when escalating privileges or accessing systems in a different security category. Zero trust architectures treat this gap as a fundamental design flaw, requiring continuous verification rather than perimeter-only checks.
Specifically, session-based attacks become far more damaging when the authenticated session carries implicit trust across security boundaries. A user authenticated at a standard access level who later accesses privileged administrative functions without re-verification gives attackers a direct escalation path that bypasses the controls established at login.
What attackers exploit
- Session hijacking after initial authentication. Attackers steal session tokens through cross-site scripting or man-in-the-middle attacks and maintain access without ever re-authenticating, even during privilege escalation.
- Credential stuffing with persistent sessions. Compromised credentials from MFA bypass techniques grant long-lived sessions when re-authentication isn’t triggered by role or context changes.
- Privilege escalation without re-verification. Users or attackers move from standard to privileged functions without the system requiring a fresh authentication challenge.
- Stale sessions across security boundaries. A session authenticated for one security category continues operating in a higher category without re-verification, violating the principle of least privilege.
How to implement
Re-authentication failures rarely stem from missing technology. They stem from undefined trigger conditions. Organizations that skip the policy step end up with session timeouts as their only mechanism, which doesn’t address the situations IA-11 actually requires.
For your organization
Step 1: Define re-authentication triggers. Document the specific circumstances requiring re-authentication. At minimum, include role changes, authenticator or credential updates, transitions between security categories, execution of privileged functions, and fixed time periods. Map each trigger to the systems and user populations it applies to.
Step 2: Configure technical enforcement. Implement re-authentication at the identity provider (IdP) or application layer. Most identity platforms, such as identity and access management (IAM) solutions and single sign-on (SSO) providers, support step-up authentication policies that can trigger based on resource sensitivity, user role, or session duration.
Step 3: Integrate with existing session management. Ensure re-authentication works alongside AC-11 device lock and AC-12 session termination controls within the broader NIST SP 800-53 framework. Re-authentication should be a distinct event from session timeout. A user returning from a device lock should re-authenticate, but re-authentication should also trigger independently when security conditions change mid-session.
Step 4: Test and validate. Run tabletop exercises confirming that each defined trigger actually forces re-authentication. Verify that privileged function execution, role changes, and security category transitions all produce an authentication challenge. Review audit logs to confirm re-authentication events are captured.
Common mistakes to avoid:
- Treating session timeout as the sole re-authentication mechanism
- Defining triggers in policy but failing to enforce them technically
- Applying re-authentication only to privileged users while exempting standard accounts that access sensitive data
- Failing to log re-authentication events separately from initial authentication
For your vendors
Questionnaire questions to include:
- Under what circumstances does your system require users to re-authenticate during an active session?
- How do you enforce re-authentication when users execute privileged functions or change roles?
- What is the maximum session duration before re-authentication is required?
- Are re-authentication events logged separately from initial authentication events?
Evidence to request:
- Re-authentication policy documenting defined triggers and applicable user populations
- System configuration screenshots showing step-up authentication rules at the IdP or application layer
- Audit log samples demonstrating re-authentication events triggered by role changes or privilege escalation
- Session management configuration showing time-based and event-based re-authentication enforcement
Red flags during assessment:
- The vendor describes only session timeouts when asked about re-authentication
- Re-authentication policy exists but no technical enforcement is configured
- Audit logs show no re-authentication events despite documented triggers
- Privileged functions can be executed without a fresh authentication challenge
Verification approach. Request a live demonstration or screen recording showing that a defined trigger, such as executing a privileged command, forces re-authentication. Cross-reference the demonstrated behavior against the documented policy and audit log entries.
Evidence examples
| Evidence type | Example artifact |
|---|---|
| Policy documentation | Identification and authentication policy defining re-authentication triggers, applicable user roles, and maximum session durations |
| System design documentation | System security plan sections describing re-authentication architecture, trigger conditions, and integration with the identity provider |
| Configuration evidence | IdP or application configuration screenshots showing step-up authentication rules tied to role changes, privilege escalation, and time-based triggers |
| Trigger definition | Documented list of circumstances requiring re-authentication, mapped to specific systems and user populations |
| Audit records | System audit logs showing re-authentication events correlated with defined trigger conditions, including timestamps and user identifiers |
| Procedures | Procedures addressing re-authentication enforcement, exception handling, and periodic review of trigger definitions |
Cross-framework mapping
| Framework | Control | Coverage |
|---|---|---|
| NIST SP 800-171 Rev 3 | 03.05.01 User Identification and Authentication | Partial |
Related controls
- AC-03 — Access Enforcement: defines the access decisions that re-authentication protects by ensuring users maintain valid credentials before enforcement occurs.
- AC-11 — Device Lock: triggers re-authentication after a device lock event, complementing IA-11’s session-level re-verification requirements.
- IA-02 — Identification and Authentication (Organizational Users): establishes the initial authentication that IA-11 extends by requiring periodic re-verification during active sessions.
- IA-03 — Device Identification and Authentication: addresses device-level authentication, which IA-11 supplements by re-verifying the user operating the authenticated device.
- IA-04 — Identifier Management: governs the identifiers that re-authentication validates, ensuring that changed or revoked identifiers trigger a new authentication challenge.
- IA-08 — Identification and Authentication (Non-organizational Users): extends authentication requirements to external users, whose sessions also require re-authentication under IA-11.
Frequently asked questions
What is NIST SP 800-53 IA-11?
IA-11 is the NIST SP 800-53 control that requires organizations to re-authenticate users when specific security conditions change during an active session. Unlike session timeouts, IA-11 targets events such as role changes, authenticator updates, privilege escalation, and transitions between security categories. This control applies across all three baselines (LOW, MODERATE, HIGH), making it a universal requirement for federal information systems and any organization adopting the NIST framework.
What happens if IA-11 is not implemented?
Without IA-11, a single authentication event grants uninterrupted access regardless of how security conditions change during a session. Attackers who hijack a session token can escalate privileges, change roles, or access higher-sensitivity systems without facing a re-authentication challenge. Auditors will flag the absence of defined re-authentication triggers as a finding, which can delay authorization decisions and create compliance gaps across related controls like AC-03 and AC-11.
How do you audit IA-11?
Auditors verify IA-11 by examining the documented list of circumstances requiring re-authentication and confirming that those triggers are technically enforced. The assessment process reviews system configuration settings at the identity provider or application layer, then cross-references audit log entries for re-authentication events against the defined trigger conditions. Auditors also interview system administrators to confirm that re-authentication procedures cover role changes, credential updates, and privileged function execution.
When should users be required to re-authenticate?
Users should be required to re-authenticate whenever their session context changes in a way that affects trust. Common triggers include executing privileged functions, changing roles or access levels, updating authenticators or credentials, moving between systems with different security categories, and reaching a defined maximum session duration. Organizations must document these triggers in their identification and authentication policy and map each trigger to the systems and user populations it covers.