This requirement is P0, and not required for FISMA moderate. Organizations that choose to adopt adaptive identification and authentication capabilities may do so via delegation of this requirement to their existing Identity Management infrastructure. For example, a deployer may choose to require adaptive authentication at the IDP prior to issuance of a SAML assertion. The user accessing Tanzu Application Service (TAS for VMs) will be required to present a valid assertion, however the authentication mechanism required to obtain that assertion is considered out of scope from the perspective of the TAS for VMs platform as the relying party.
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed.