IA-4: Identifier Management

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Baselines:

  • Low
    • IA-4
  • Moderate
    • IA-4
  • High
    • IA-4

Next Version:

Control Statement

The organization manages information system identifiers by:

  1. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
  2. Selecting an identifier that identifies an individual, group, role, or device;
  3. Assigning the identifier to the intended individual, group, role, or device;
  4. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
  5. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

Supplemental Guidance

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

Control Enhancements

IA-4(2): Supervisor Authorization

Baseline(s):

(Not part of any baseline)

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

IA-4(3): Multiple Forms Of Certification

Baseline(s):

(Not part of any baseline)

The organization requires multiple forms of certification of individual identification be presented to the registration authority.

IA-4(4): Identify User Status

Baseline(s):

(Not part of any baseline)

The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].

IA-4(6): Cross-Organization Management

Baseline(s):

(Not part of any baseline)

The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.

IA-4(7): In-Person Registration

Baseline(s):

(Not part of any baseline)

The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.