IA-12: Identity Proofing

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:

Baselines:

Info icon.

Control is new to this version of the control set.

Control Statement

  1. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;
  2. Resolve user identities to a unique individual; and
  3. Collect, validate, and verify identity evidence.

Supplemental Guidance

Identity proofing is the process of collecting, validating, and verifying a user's identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A. Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

Control Enhancements

IA-12(1): Supervisor Authorization

Baseline(s):

(Not part of any baseline)

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

IA-12(2): Identity Evidence

Baseline(s):

  • Moderate
  • High

Require evidence of individual identification be presented to the registration authority.

IA-12(5): Address Confirmation

Baseline(s):

  • Moderate
  • High

Require that a [Assignment: registration code, notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.