PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed

Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials

Ex3: Select a unique identifier for each device from immutable hardware characteristics or an identifier securely provisioned to the device

Ex4: Physically label authorized hardware with an identifier for inventory and servicing purposes