PR.AA-04: Identity assertions are protected, conveyed, and verified

Info icon.

Subcategory is new to this version of the framework.

Description

[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Protect identity assertions that are used to convey authentication and user information through single sign-on systems

Ex2: Protect identity assertions that are used to convey authentication and user information between federated systems

Ex3: Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions