IA-8(3): Use Of Ficam-Approved Products

Control Family:

Identification And Authentication

Parent Control:

IA-8: Identification And Authentication (Non-Organizational Users)

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.AC-1
PR.AC-6
PR.AC-7

Threats Addressed:

Spoofing
Repudiation

Baselines:

Low
Moderate
High

Control is withdrawn in the next version of this control set and incorporated into: IA-8(2): Acceptance of External Authenticators.

Control Statement

The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.

Supplemental Guidance

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.