PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-16: Security and Privacy Attributes
Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the information; Establish the following permitted security and privacy attributes from the attributes defined in…
IA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
IA-2: Identification and Authentication (organizational Users)
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-4: Identifier Management
Manage system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, group, role, service, or device; Assigning the identifier to the intended individual, group, role, service, or device; and Preventing reuse of identifiers for [Assignment: organization-defined time…
IA-5: Authenticator Management
Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial…
IA-8: Identification and Authentication (non-organizational Users)
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
IA-12: Identity Proofing
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user identities to a unique individual; and Collect, validate, and verify identity evidence.
PE-2: Physical Access Authorizations
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; Issue authorization credentials for facility access; Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and Remove individuals from the facility access list when access is no longer required.
PS-3: Personnel Screening
Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].
Cloud Controls Matrix v3.0.1
EKM-01: Entitlement
Keys must have identifiable owners (binding keys to identities) and there shall be key management policies.
IAM-02: Credential Lifecycle / Provision Management
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…
IAM-08: Trusted Sources
Policies and procedures are established for permissible storage and access of identities used for authentication to ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary.
IAM-09: User Access Authorization
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…
IAM-10: User Access Reviews
User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies…
IAM-11: User Access Revocation
Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user’s change in status (e.g., termination of employment or other business relationship, job change, or transfer). Upon request, provider shall…
IAM-12: User ID Credentials
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) Account credential lifecycle management from instantiation through revocation Account credential…
NIST Special Publication 800-53 Revision 4
AC-1: Access Control Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…
AC-2: Account Management
The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; Assigns account managers for information system accounts; Establishes conditions for group and role membership; Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other…
AC-3: Access Enforcement
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-16: Security Attributes
The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; Ensures that the security attribute associations are made and retained with the information; Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and Determines…
AC-19: Access Control For Mobile Devices
The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and Authorizes the connection of mobile devices to organizational information systems.
AC-24: Access Control Decisions
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
IA-1: Identification And Authentication Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and Reviews and updates the current:…
IA-2: Identification And Authentication (Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-4: Identifier Management
The organization manages information system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; Selecting an identifier that identifies an individual, group, role, or device; Assigning the identifier to the intended individual, group, role, or device; Preventing reuse of identifiers for [Assignment: organization-defined time period];…
IA-5: Authenticator Management
The organization manages information system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; Establishing initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for…
IA-8: Identification And Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
PE-2: Physical Access Authorizations
The organization: Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; Issues authorization credentials for facility access; Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and Removes individuals from the facility access list when access is no longer required.
PS-3: Personnel Screening
The organization: Screens individuals prior to authorizing access to the information system; and Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
Critical Security Controls Version 7.1
1: Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.