IAM-12: User ID Credentials

Control Family:

Identity & Access Management

CSF v1.1 References:

PR.AC-1
PR.AC-6
PR.AC-7

PF v1.0 References:

PR.AC-P1
PR.AC-P6

Threats Addressed:

Spoofing
Repudiation
Elevation of Privilege

Control Statement

Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures:

Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation)
Account credential lifecycle management from instantiation through revocation
Account credential and/or identity store minimization or re-use when feasible
Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets)

Control Statement

Related Controls

NIST Special Publication 800-53 Revision 5

NIST Special Publication 800-53 Revision 4