Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors-including security, privacy, scalability, and practicality-when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
Accept only external authenticators that are NIST-compliant; and Document and maintain a list of accepted external authenticators.
Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles].
Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy].
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures].