IA-8(2): Acceptance of External Authenticators
Control Family:
Threats Addressed:
Baselines:
- Low
- Moderate
- High
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-8(2): Acceptance Of Third-Party Credentials
Incorporates the following control from the previous version: IA-8(3): Use Of Ficam-Approved Products.
Control Statement
- Accept only external authenticators that are NIST-compliant; and
- Document and maintain a list of accepted external authenticators.
Supplemental Guidance
Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B. Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.