Establishes requirements for identifying and authenticating users, processes, and devices before granting access to OCSI systems — covering 11 controls per NIST SP 800-171 Rev 2.
OCSI shall identify and authenticate users, processes, and devices as a prerequisite to allowing access to organizational systems containing CUI. Authentication mechanisms shall employ cryptographic protections and meet FIPS compliance standards.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.5.1 | Identify system users, processes acting on behalf of users, and devices | Single hardcoded admin account identified by email address. Gap: No individual user accounts, no user directory, no device identification. | Partial |
| 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices as a prerequisite to allowing access | Authentication via email + password verified against SHA-256 hash using Web Crypto API. CRITICAL: Plaintext password ('OCSIAdmin2026!') is visible in source code (line 773). Client-side only — bypassable via DevTools. | Critical Gap |
| 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | NOT IMPLEMENTED. Zero MFA code exists. Only single-factor (password) authentication. This is a CMMC Level 2 mandatory requirement. | Not Implemented |
| 3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts | SessionStorage-based tokens — not cryptographically generated. No server-side token validation. Gap: sessionStorage.setItem('ocsi_admin_auth','true') grants instant access. | Not Implemented |
| 3.5.5 | Prevent reuse of identifiers for a defined period | Single hardcoded credential — only one account exists. No identifier management system. | Not Implemented |
| 3.5.6 | Disable identifiers after a defined period of inactivity | Sessions terminated after 30 minutes of inactivity (client-side). Gap: No permanent account disablement for inactive users — only one account exists. | Partial |
| 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created | NOT IMPLEMENTED. No password complexity validation code exists. No minimum length check, no complexity regex. Single hardcoded password. | Not Implemented |
| 3.5.8 | Prohibit password reuse for a specified number of generations | NOT IMPLEMENTED. No password change functionality exists. Single hardcoded credential. | Not Implemented |
| 3.5.9 | Allow temporary password use for system logons with an immediate change to a permanent password | NOT IMPLEMENTED. No password change mechanism. No temporary password flow. | Not Implemented |
| 3.5.10 | Store and transmit only cryptographically-protected passwords | CRITICAL FAILURE. The plaintext password 'OCSIAdmin2026!' is in the JavaScript source code (line 773), visible to anyone who views page source. SHA-256 (not bcrypt/Argon2) is computed at runtime from this plaintext. | Critical Gap |
| 3.5.11 | Obscure feedback of authentication information | Password input uses type="password" with masked display. Error messages show generic "Invalid credentials." This control is properly implemented. | Implemented |
crypto.subtle.digest('SHA-256', ...), which is a FIPS 140-2 compatible implementation built into modern browsers.