IAM-12: User ID Credentials

CSF v1.1 References:

PF v1.0 References:

Control Statement

Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures:

  • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation)
  • Account credential lifecycle management from instantiation through revocation
  • Account credential and/or identity store minimization or re-use when feasible
  • Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets)