IA-4: Identifier Management
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-4: Identifier Management
Control Statement
Manage system identifiers by:
- Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;
- Selecting an identifier that identifies an individual, group, role, service, or device;
- Assigning the identifier to the intended individual, group, role, service, or device; and
- Preventing reuse of identifiers for [Assignment: organization-defined time period].
Supplemental Guidance
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.
Control Enhancements
IA-4(1): Prohibit Account Identifiers as Public Identifiers
Baseline(s):
Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.
IA-4(4): Identify User Status
Baseline(s):
- Moderate
- High
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].
IA-4(5): Dynamic Management
Baseline(s):
Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy].
IA-4(6): Cross-organization Management
Baseline(s):
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations].
IA-4(8): Pairwise Pseudonymous Identifiers
Baseline(s):
Generate pairwise pseudonymous identifiers.
IA-4(9): Attribute Maintenance and Protection
Baseline(s):
Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage].