03.05.02 —
What this control requires
Source: NIST SP 800-171 R3 §03.05.02 (official control text).
Why this matters
Device identification and authentication ensures that only authorized hardware can connect to organizational networks and systems. Without this control, attackers can plug in rogue devices, join malicious endpoints to your domain, or intercept traffic through man-in-the-middle attacks. This control protects against unauthorized physical access points, compromised IoT devices, and shadow IT that bypass security monitoring. It enforces the principle that trust must extend beyond user credentials to the actual hardware requesting access, preventing lateral movement and data exfiltration through unmanaged devices.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.05.02.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →