home || catalog: SP800-53rev3 / class: Technical / family: (IA) Identification and Authentication ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA

IA-01
IA-02
IA-03
IA-04 *
IA-05
IA-06
IA-07
IA-08

IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  IA-04: Identifier Management  

base control objective:
The organization manages information system identifiers for users and devices by:
a. Receiving authorization from a designated organizational official to assign a user or device identifier;
b. Selecting an identifier that uniquely identifies an individual or device;
c. Assigning the user identifier to the intended party or the device identifier to the intended device;
d. Preventing reuse of user or device identifiers for [Assignment: organization-defined time period]; and
e. Disabling the user identifier after [Assignment: organization-defined time period of inactivity].

supplemental objective information:
Common device identifiers include media access control (MAC) or Internet protocol (IP) addresses, or device unique token identifiers. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user identifier is the name of an information system account associated with an individual. In such instances, identifier management is largely addressed by the account management activities of AC-2. IA-4 also covers user identifiers not necessarily associated with an information system account (e.g., the identifier used in a physical security control database accessed by a badge reader system for access to the information system).

enhancements to the base objective:

(1) The organization prohibits the use of information system account identifiers as public identifiers for user electronic mail accounts (i.e., user identifier portion of the electronic mail address).
Enhancement Supplemental Guidance: The organization implements this control enhancement to the extent that the information system allows.

(2) The organization requires that registration to receive a user ID and password include authorization by a supervisor, and be done in person before a designated registration authority.

(3) The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.

(4) The organization manages user identifiers by uniquely identifying the user as [Assignment: organization-defined characteristic identifying user status].
Enhancement Supplemental Guidance: Characteristics identifying user status include, for example, contractors and foreign nationals.

(5) The information system dynamically manages identifiers, attributes, and associated access authorizations.
Enhancement Supplemental Guidance: In contrast to conventional approaches to identification and authentication which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of identities and association of attributes and privileges with these identities is anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

AC-02   Account Management
IA-02   User Identification and Authentication (Organizational Users)

documents referenced in SP800-53rev3 for IA-04:

Document Date Status Title
FIPS 201-1 March, 2006 current   Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST SP800-124 July, 2008 current   Guidelines on Cell Phone and PDA Security
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-72 November, 2004 current   Guidelines on PDA Forensics
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-78 December, 2010 current   Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP800-87 January, 2006 current   Codes for Identification of Federal and Federally-Assisted Organizations
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines

Search SP800-53rev3 catalog: