IA-9: Service Identification and Authentication

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:


  • Low


  • Moderate


  • High


  • Privacy


Previous Version:

Info icon.

Incorporates the following controls from the previous version of the control set: IA-9(1): Information Exchange, IA-9(2): Transmission Of Decisions.

Control Statement

Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.

Supplemental Guidance

Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions.