EIG Crawl Phase Demonstration Results#
Note
This page is supplementary material for the NIST SP 1800-35 publication.
This section lists the full demonstration results for each of the builds that was implemented as part of the EIG crawl phase: E1B1, E2B1, and E3B1.
Enterprise 1 Build 1 (E1B1) - EIG Crawl - Okta Identity Cloud and Ivanti Access ZSO as PEs Detailed Demonstration Results#
Table 1 lists the detailed results for all EIG crawl phase demonstrations run in Enterprise 1 Build 1 (E1B1). While the technology deployed in E1B1 was able to determine endpoint compliance for mobile devices and prevent noncompliant mobile endpoints from accessing resources, it was not able to determine the compliance status of desktop endpoints and automatically use that as a determining factor in deciding whether access requests originating from that desktop endpoint should be granted. Consequently, the results listed in this section only include demonstrations in which the requesting endpoints are mobile devices. No demonstrations were performed in which the requesting device was a desktop system. In all demonstrations that were conducted, the ZTA functionality included in the build performed as expected.
Table 1 - Detailed Demonstration Results for E1B1
Demo ID |
Expected Outcome |
Observed Outcome |
Comments |
---|---|---|---|
A-1.1.a-m |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. All devices are already joined to the network. There is no tool that can keep any entity (RSS, EP, BYOD, or guest device) from joining the network based on its authentication status. |
A-1.2.a-m |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. |
A-1.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. |
A-1.4.a-g |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
A-2.1.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. There is no tool that can reauthenticate any entity (RSS, EP, BYOD, or guest device) and terminate its network access based on authentication status. |
A-2.2.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build based on reauthentication status. |
A-2.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build based on reauthentication status. |
A-2.4.a-f |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
A-3.1.a, A-3.3.a, A-3.5.a |
User request and action is recorded |
User login to an application is logged |
Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. |
A-3.1.b, A-3.3.b |
API call is recorded |
Logs contain relevant API information |
Success: Okta logs have relevant information about the authentication between the user and resource. |
A-3.2.a-b, A-3.4.a-b, A-3.6.a |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
B-1.1.a, B-1.2.a, B-1.3.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a |
Access Successful |
Access Successful |
Partial success: For the mobile endpoint, user access to resource RSS1 is based on endpoint compliance. However, we cannot validate compliance of RSS1. |
B-1.1.b, B-1.2.b, B-1.3.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b |
Access Successful |
Access Successful |
Partial success: For the mobile endpoint, user access to resource RSS2 is based on endpoint compliance. However, we cannot validate compliance of RSS2. |
B-1.1.c, B-1.2.c, B-1.3.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c |
Access Not Successful |
Access Not Successful |
Partial success: Demonstrated user authentication failure at the mobile endpoint, but we cannot validate compliance on RSS1. Partial demonstration completed with user not able to log in to mobile device. |
B-1.1.d, B-1.2.d, B-1.3.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d |
Access Not Successful |
Access Not Successful |
Partial success: Mobile: Based on configuration in Ent1, the E2 is not authorized to access RSS1 based on enterprise governance policy. Also, RSS compliance cannot be demonstrated in this phase. In this case, user is not granted access to RSS1. |
B-1.1.e, B-1.2.e, B-1.3.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e |
Access Successful |
Access Successful |
Partial success: Mobile: User access to RSS2 is based on the EP’s compliance. Cannot validate compliance on RSS2. Partial demonstration. |
B-1.1.f, B-1.2.f, B-1.3.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f |
Access Not Successful |
Access Not Successful |
Partial success: Mobile: User authentication failure is at the endpoint. Cannot validate compliance on RSS1. Partial demonstration completed with user not able to log in to mobile device. |
B-1.1.g, B-1.2.g, B-1.3.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g |
Access Not Successful |
N/A |
Demonstration cannot be completed. Mobile: must have certain tools installed to manage the mobile device and its compliance. The only way this happens is if the user forgets the login password on the mobile device. |
B-1.1.h, B-1.2.h, B-1.3.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h |
Access Successful |
Access Successful |
Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated. |
B-1.1.i, B-1.2.i, B-1.3.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i |
Access Not Successful |
N/A |
Success: Only way to do this is to not use Okta FastPass, which would make this case invalid. We pressed “No” on Okta FastPass and access was denied. |
B-1.1.j, B-1.2.j, B-1.3.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j |
Access Not Successful |
Access Not Successful |
Success: On Ivanti, after initial authentication, implemented a block on the Mobile Iron cloud. After GitLab timed out, re-authentication was unsuccessful. |
B-1.1.k, B-1.2.k, B-1.3.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k |
Access Limited |
N/A |
Partial success: Access to RSS2 is blocked. Currently cannot perform limited access. |
B-1.1.l-m, B-1.2.l-m, B-1.3.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m |
Access Denied |
Access Denied |
Success: User was denied access because the endpoint was noncompliant. |
B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p |
N/A |
N/A |
Demonstration cannot be run. Unable to perform compliance checks on RSS. |
B-1.2.a-p |
The results are the same as B-1.1 since network policies allow access from branch to Ent1. See results from B-1.1. |
||
B-1.3.a-p |
The results are the same as B-1.1 given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1. |
||
B-1.4.a-p, B-1.5.a-p, B-1.6.a-p, B-4.4.a-p, B-4.5.a-q, and B-4.6.a-p |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
B-2.1.a-p, B-2.2.a-p, B-5 |
N/A |
N/A |
Out of scope until run phase. Tools are needed to create policies to allow or deny access to internet resources. |
B-3, B-6 |
N/A |
N/A |
Out of scope until run phase. |
B-4 |
As documented in the rows above, the results of all B-4 use case demonstrations are the same as the results of the B-1 use cases because the device is both authenticated and compliant. In this case, a BYOD device will have to install both the Ivanti Neurons for Unified Endpoint Management (UEM) agent and Okta Verify App. See results from B-1.1 for B-4.1, B-4.2, and B-4.3. |
||
All C Use Cases |
N/A |
N/A |
Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3. |
All D Use Cases |
As documented in the rows above, the results of all D use case demonstrations are the same as the results of the B use cases. Note that the user is a contractor and will have access to resources based on need. The Ivanti Neurons for UEM agent and Okta Verify App will have to be installed on the contractor’s device, whether it’s provided by the enterprise or BYOD. |
||
All E Use Cases |
N/A |
N/A |
Guest (No-ID) access is considered out of scope for the EIG crawl phase. |
All F Use Cases |
N/A |
N/A |
Confidence level use cases are considered out of scope for the EIG crawl phase. |
Enterprise 2 Build 1 (E2B1) - EIG Crawl - Ping Identity Ping Federate as PE Detailed Demonstration Results#
Table 2 lists the detailed results for all EIG crawl phase demonstrations run in Enterprise 2 Build 1 (E2B1). The technology deployed in E2B1 was able to determine endpoint compliance for Android, iOS, Windows, and macOS devices and prevent noncompliant endpoints from accessing private resources. Consequently, compliance of endpoints was observed with health checks from Duo prior to the second-factor authentication.
Table 2 - Detailed Demonstration Results for E2B1
Demo ID |
Expected Outcome |
Observed Outcome |
Comments |
---|---|---|---|
A-1.1.a-m |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. All devices are already joined to the network. There is no tool that can keep any entity (RSS, EP, BYOD, or guest device) from joining the network based on its authentication status. |
A-1.2.a-m, A-1.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. |
A-1.4.a-g |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
A-2.1.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. There is no tool that can reauthenticate any entity (RSS, EP, BYOD, or guest device) and terminate its network access based on authentication status. |
A-2.2.a-I, A-2.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build based on reauthentication status. |
A-2.4.a-f |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
A-3.1.a, A-3.3.a, A-3.5.a |
User request and action is recorded |
User login to an application is logged |
Success: Both Ping Federate and Duo record the authentication logs. Administrators can view logs of when a user logged onto an application and whether the authentication was successful or not. |
A-3.1.b, A-3.3.b |
API call is recorded |
Logs contain relevant API information |
Success: Ping Federate and Duo logs have relevant information about the authentication between the user and resource. |
A-3.2.a-b, A-3.4.a-b, A-3.6.a |
N/A |
N/A |
Cloud-based resources are out of scope until the run phase. |
B-1.1.a, B-1.2.a, B-1.3.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a |
Access Successful |
Access Successful |
Partial success: User access to resource RSS1 is based on endpoint compliance. Users must have Duo client installed on device for health check. Users also must have Duo Mobile installed on a mobile device to perform second-factor authentication. However, we cannot validate compliance of RSS1, so we label this “partial success”. |
B-1.1.b, B-1.2.b, B-1.3.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b |
Access Successful |
Access Successful |
Partial success due to scope: User access to resource RSS2 is based on endpoint compliance. However, we cannot validate compliance of RSS2. |
B-1.1.c, B-1.2.c, B-1.3.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c |
Access Not Successful |
Access Not Successful |
Partial success: Demonstrated user authentication failure at the endpoint, but we cannot validate compliance on RSS1. Partial demonstration completed with user not able to log in to RSS1 due to incorrect credentials. |
B-1.1.d, B-1.2.d, B-1.3.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d |
Access Not Successful |
Access Not Successful |
Partial success: Based on configuration in Ent2, the E2 is not authorized to access RSS1 based on enterprise governance policy. Also, RSS compliance cannot be demonstrated in this phase. In this case, user is not granted access to RSS1. |
B-1.1.e, B-1.2.e, B-1.3.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e |
Access Successful |
Access Successful |
Partial success: User access to RSS2 is based on the EP’s compliance. Cannot validate compliance on RSS2. Partial demonstration. |
B-1.1.f, B-1.2.f, B-1.3.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f |
Access Not Successful |
Access Not Successful |
Partial success: User authentication failure is at the endpoint. Cannot validate compliance on RSS1. Partial demonstration completed with user not able to log in from device. |
B-1.1.g, B-1.2.g, B-1.3.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g |
Access Not Successful |
N/A |
Demonstration cannot be completed. Must have certain tools installed to manage the mobile device and its compliance. The only way this happens is if the user forgets the login password on the mobile device. |
B-1.1.h, B-1.2.h, B-1.3.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h |
Access Successful |
Access Successful |
Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated. |
B-1.1.i, B-1.2.i, B-1.3.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i |
Access Not Successful |
Access Not Successful |
Success: Only way to do this is to put in a wrong password for failure. |
B-1.1.j, B-1.2.j, B-1.3.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j |
Access Not Successful |
Access Not Successful |
Success: On Duo, implemented a block on devices that do not have firewall enabled. After GitLab timed out, we turned off the firewall on the device and reauthentication was unsuccessful. |
B-1.1.k, B-1.2.k, B-1.3.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k |
Access Limited |
N/A |
Partial success: Access to RSS2 is blocked if EP is not compliant. Currently cannot perform limited access. |
B-1.1.l-m, B-1.2.l-m, B-1.3.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m |
Access Denied |
Access Denied |
Success: User was denied access because the endpoint was noncompliant. |
B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p |
N/A |
N/A |
Demonstration cannot be run. Unable to perform compliance checks on RSS. |
B-1.2.a-p |
The results are the same as B-1.1 since network policies allow access from a branch office to Ent2. See results from B-1.1. (Note: Ent2 does not have a branch office. If we were to create a branch office, the network policies will allow the branch office to Ent2. Therefore, it would be part of the Ent2 policies and results would be identical to B-1.1.) |
||
B-1.3.a-p |
The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1. |
||
B-1.4.a-p, B-1.5.a-p, B-1.6.a-p, B-4.4.a-p, B-4.5.a-q, and B-4.6.a-p |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
B-2.1.a-p, B-2.2.a-p, B-5 |
N/A |
N/A |
Out of scope until run phase. Tools are needed to create policies to allow or deny access to internet resources. |
B-3, B-6 |
N/A |
N/A |
Out of scope until run phase. |
B-4 |
As documented in the rows above, the results of all B-4 use case demonstrations are the same as the results of the B-1 use cases because the device is both authenticated and compliant. In this case, a BYOD device will have to install Duo client for health check. See results from B-1.1 for B-4.1, B-4.2, and B-4.3. |
||
All C Use Cases |
N/A |
N/A |
Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3. |
All D Use Cases |
As documented in the rows above, the results of all D use case demonstrations are the same as the results of the B use cases. Note that the user is a contractor and will have access to resources based on need. The Duo client will have to be installed on the contractor’s device, whether it’s provided by the enterprise or BYOD. User must also install Duo Mobile on their mobile device for second-factor authentication. |
||
All E Use Cases |
N/A |
N/A |
Guest (No-ID) access is considered out of scope for the EIG crawl phase. |
All F Use Cases |
N/A |
N/A |
Confidence level use cases are considered out of scope for the EIG crawl phase. |
Enterprise 3 Build 1 (E3B1) - EIG Crawl - Azure AD Conditional Access (later renamed Entra Conditional Access) as PE Detailed Demonstration Results#
Table 3 lists the detailed demonstration results for all EIG crawl phase demonstrations run in Enterprise 3 Build 1 (E3B1). The technology deployed in E3B1 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.
Table 3 - Detailed Demonstration Results for E3B1
Demo ID |
Expected Outcome |
Observed Outcome |
Comments |
---|---|---|---|
A-1.1.a-m |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. All devices are already joined to the network. There is no tool that can keep any entity (RSS, EP, BYOD, or guest device) from joining the network based on its authentication status. |
A-1.2.a-m |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. |
A-1.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. |
A-1.4.a-g |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
A-2.1.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build. There is no tool that can reauthenticate any entity (RSS, EP, BYOD, or guest device) and terminate its network access based on authentication status. |
A-2.2.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build based on reauthentication status. |
A-2.3.a-f |
N/A |
N/A |
Demonstration cannot be completed. There is no network-level enforcement present in this build based on reauthentication status. |
A-2.4.a-f |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
A-3.1.a, A-3.3.a, A-3.5.a |
User request and action is recorded |
User login to an application is logged |
Success: Azure AD records the authentication logs. Administrators can log in to Azure AD and view logs of when a user logged onto an application and whether the authentication was successful or not. |
A-3.1.b, A-3.3.b |
API call is recorded |
Logs contain relevant API information |
Success: Azure AD logs have relevant information about the authentication between the user and resource. |
A-3.2.a-b, A-3.4.a-b, A-3.6.a |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
B-1.1.a |
Access Successful |
Access Successful |
Partial Success: Users access RSS1 based on the EP compliance. Cannot validate compliance of RSS1, so can only partially demonstrate. |
B-1.1.b |
Access Successful |
Access Successful |
Partial Success: Authenticated user access to RSS2 successful. Can only partially demonstrate because cannot validate compliance on RSS2. |
B-1.1.c |
Access Not Successful |
Access Not Successful |
Partial Success: User authentication failure prevents access. Cannot validate compliance on RSS1. Partial demonstration completed with user not able to authenticate. |
B-1.1.d |
Access Not Successful |
Access Not Successful |
Partial Success: Based on configuration in Ent 3, the E2 is not authorized to access RSS1 based on enterprise governance policy. Also, RSS compliance cannot be demonstrated in this phase. In this case, user is not granted access to RSS1. |
B-1.1.e |
Access Successful |
Access Successful |
Partial Success: Authenticated user access to RSS2 successful. Can partially demonstrate. Cannot validate compliance on RSS2. |
B-1.1.f |
Access Not Successful |
Access Not Successful |
Success: User authentication failure prevents access. |
B-1.1.g |
Access Not Successful |
Access Not Successful |
Success: User authentication failure prevents access. |
B-1.1.h |
Access Successful |
Access Successful |
Partial Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was re-authenticated. Can only partially demonstrated because cannot validate RSS1 compliance. |
B-1.1.i |
Access Not Successful |
Access Not Successful |
Success: Unauthenticated users were prevented from accessing resources. |
B-1.1.j |
Access Not Successful |
Access Not Successful |
Partial Success: Authenticated user access to RSS1 successful. Can partially demonstrate. Cannot validate compliance on RSS1. After GitLab timed out, reauthentication was unsuccessful. |
B-1.1.k |
Access Limited |
N/A |
Not able to demonstrate with current set of technologies. Cannot limit access based on device noncompliance. |
B-1.1.l-p |
N/A |
N/A |
Cannot demonstrate. Unable to perform compliance checks on RSS. |
B-1.2.a-p |
N/A |
N/A |
Cannot test because there is no branch office in Ent. 3. |
B-1.3.a-p |
The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1. |
||
B-1.4.a-p, B-1.5.a-p, and B-1.6.a-p |
N/A |
N/A |
Cloud-based resources are out of scope until run phase. |
B-2, B-5 |
N/A |
N/A |
Out of scope until run phase. Tools are needed to create policies to allow or deny access to internet resources. |
B-3, B-6 |
N/A |
N/A |
Out of scope until run phase. |
B-4 |
All demonstrations here are the same as B-1 since the device is both authenticated and compliant. |
||
All C Use Cases |
N/A |
N/A |
Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3. |
All D Use Cases |
All demonstrations here are the same as B-1 since the device is both authenticated and compliant. Note that the user is a contractor. |
||
All E Use Cases |
N/A |
N/A |
Guest (No-ID) access is considered out of scope for the EIG crawl phase. |
All F Use Cases |
N/A |
N/A |
Confidence level use cases are considered out of scope for the EIG crawl phase. |