IA-9: Service Identification And Authentication

Control Family:

Identification And Authentication

Priority:

P0: Security control not selected in any baseline.

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Spoofing

Baselines:

Low
N/A
Moderate
N/A
High
N/A

Next Version:

NIST Special Publication 800-53 Revision 5:
IA-9: Service Identification and Authentication

Control Statement

The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

Supplemental Guidance

This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.

Control Enhancements

IA-9(1): Information Exchange

Baseline(s):

(Not part of any baseline)

The organization ensures that service providers receive, validate, and transmit identification and authentication information.

IA-9(2): Transmission Of Decisions

Baseline(s):

(Not part of any baseline)

The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.