IA-8: Identification and Authentication (non-organizational Users)

CSF v1.1 References:

CSF v2.0 References:

Threats Addressed:


Previous Version:

Control Statement

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Supplemental Guidance

Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors-including security, privacy, scalability, and practicality-when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

Control Enhancements

IA-8(4): Use of Defined Profiles


  • Low
  • Moderate
  • High

Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles].

IA-8(6): Disassociability


(Not part of any baseline)

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures].