https://learn.microsoft.com/en-us/entra/standards/configure-cmmc-level-1-controls
Microsoft Entra ID meets identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes. In CMMC Level 1, there are three domains that have one or more practices related to identity: Access Control (AC), Identification and Authentication (IA), and System and Information integrity (SI)
https://cirt.net/nikto2
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf
This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage.
https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_1/home?element=IA-04
This special publication from NIST provides an overview of Identifier Management.
https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2
Control objectives for the implementation of multi-factor authentication from NIST SP 800-53.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
This NIST Special Publication provides technical requirements for federal agencies implementing digital identity services.
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md
This cheat sheet from OWASP provides general authentication guidelines.
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
The scope of this test is to verify if it is possible to collect a set of valid usernames by interacting with the authentication mechanism of the application.
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials
This link discusses the process of testing web applications for default credentials.
