The purpose of this policy is to protect information services and resources used for UW-Madison purposes. Many cybersecurity threats and vulnerabilities involve compromised credentials. Maintaining up-to-date practices in digital identity, IT credentialing, and authentication greatly reduces cybersecurity risk. The user community’s acceptance of and participation in digital identity practices relies on the availability of appropriate infrastructure and training/education support.
For additional definitions please see the IT Policy Glossary.
This policy applies to all UW–Madison-owned and non-UW–Madison-owned devices and services that are used for UW–Madison purposes, as described in the UW System Board of Regents policy 25-3 “Acceptable Use of Information Resources.” It applies to all persons or entities authenticating to access UW–Madison information services or other information resources and to all providers of information services and other information resources used for UW–Madison purposes.
Specific Standards adopted under this policy will be based on evidence-based, peer-reviewed research and standards, except when there are legal, regulatory or contractual requirements to adopt other standards for specific use cases.
NIST SP 800-63 is adopted as the reference standard for implementations and use-case standards under this policy. When appropriate, a newer reference standard to replace NIST SP-800-63 may be adopted through the designated approval process.
UW–Madison will develop and maintain Standards for specific use cases. The Standards will describe how to apply this policy based on the adopted Reference Standard.
NIST SP 800-63 and other adopted standards may be adapted to appropriately respond to unique UW–Madison requirements.
When it is not technically possible or practical to comply with the Reference Standard, as adapted, a Use-Case-Specific Standard may be developed. Use-Case-Specific Standards and associated system implementations may include additional security controls if appropriate. Use-Case-Specific Standards and system implementations will be developed by appropriate IT staff in collaboration with the Office of Cybersecurity and will be guided by the reference standard. Use-Case-Specific Standards and system implementations will apply appropriate security for the risk of the specific use case.
Use-Case-Specific authentication and authorization Standards and implementation for any IT system must be documented. Documentation must be provided for review as part of any relevant risk assessment and the risks associated with the Use-Case-Specific Standard and implementation must be accepted by the designated Risk Executive, as defined in UW–503 Cybersecurity Risk Management.
The following must be considered by UW–Madison information service providers when acquiring, designing, building, documenting, deploying, communicating, and evaluating the IT credentials, IT systems and services, and related practices used to protect UW–Madison information resources.
The Vice Provost for Information Technology (VP-IT) and Chief Information Officer (CIO) will designate an appropriate credentials and authentication Advisory Group. This group will advise the VP-IT (CIO) and other responsible leaders on:
Final decisions on these matters will be made by the VP-IT (CIO) or other appropriate campus leadership, in consultation with the Information Technology Committee (ITC).
The VP-IT (CIO) will support this policy by providing:
IT Credentials Implementation Plan
IT Credentials Policy and Password Standard FAQs
Privileged Account Management Standards (in development)
NIST SP 800-63 Digital Identity Guidelines
UW System Board of Regents Policy 25.3 Acceptable Use of Information Resources
UW System Administration Policy 1030 Information Security: Authentication
UW System Administration Procedure 1030.A Information Security: Authentication Standard
UW System Administration Policy 1000 General Terms and Definitions