IA-9: Service Identification and Authentication
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-9: Service Identification And Authentication
Incorporates the following controls from the previous version: IA-9(1): Information Exchange, IA-9(2): Transmission Of Decisions.
Control Statement
Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.
Supplemental Guidance
Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions.