03.05.01 — (a) Uniquely identify and authenticate system users, and associate that unique identification with processes acting on behalf of those users. (b) Re-authenticate users when {{ insert: param, A.03.05.01.ODP.01 }} .

What this control requires

(a) Uniquely identify and authenticate system users, and associate that unique identification with processes acting on behalf of those users. (b) Re-authenticate users when {{ insert: param, A.03.05.01.ODP.01 }} .

Source: NIST SP 800-171 R3 §03.05.01 (official control text).

Why this matters

Every action in your systems must trace back to a real person. Unique user identification prevents shared accounts, which obscure accountability when incidents occur or audits demand chain-of-custody. Authentication proves the person logging in is who they claim to be—stopping unauthorized actors from masquerading as legitimate users. Re-authentication for sensitive operations (like deleting databases or accessing customer data) adds a critical checkpoint: even if credentials leak mid-session, attackers can't execute high-risk commands without fresh proof of identity. This control directly prevents insider threats, credential stuffing, and privilege escalation.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls