IA-8(2): Acceptance Of Third-Party Credentials

CSF v1.1 References:

Threats Addressed:


  • Low
  • Moderate
  • High

Next Version:

Control Statement

The information system accepts only FICAM-approved third-party credentials.

Supplemental Guidance

This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.