IA-8: Identification and Authentication (non-organizational Users)
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-8: Identification And Authentication (Non-Organizational Users)
Control Statement
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Supplemental Guidance
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors-including security, privacy, scalability, and practicality-when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.
Control Enhancements
IA-8(1): Acceptance of Piv Credentials from Other Agencies
Baseline(s):
- Low
- Moderate
- High
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
IA-8(2): Acceptance of External Authenticators
Baseline(s):
- Low
- Moderate
- High
Accept only external authenticators that are NIST-compliant; and Document and maintain a list of accepted external authenticators.
IA-8(4): Use of Defined Profiles
Baseline(s):
- Low
- Moderate
- High
Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles].
IA-8(5): Acceptance of Piv-i Credentials
Baseline(s):
Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy].
IA-8(6): Disassociability
Baseline(s):
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures].