BRACKETOLOGY | FEDRAMP

IA-4: IDENTIFIER MANAGEMENT

• FedRAMP Baseline Membership IA-4:

• LOW
• MODERATE
• HIGH

• a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
• b. Selecting an identifier that identifies an individual, group, role, or device;
• c. Assigning the identifier to the intended individual, group, role, or device;
• d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
• e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

SUPPLEMENTAL GUIDANCE

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

CONTROL ENHANCEMENTS

IA-4 (1) IDENTIFIER MANAGEMENT | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS

The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.

Supplemental Guidance:

Prohibiting the use of information systems account identifiers that are the same as some public identifier such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers on organizational information systems.

RELATED CONTROLS: IA-4 (1)

• AT-2 — AWARENESS AND TRAINING SECURITY | AWARENESS TRAINING

IA-4 (2) IDENTIFIER MANAGEMENT | SUPERVISOR AUTHORIZATION

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

Supplemental Guidance: NONE

IA-4 (3) IDENTIFIER MANAGEMENT | MULTIPLE FORMS OF CERTIFICATION

The organization requires multiple forms of certification of individual identification be presented to the registration authority.

Supplemental Guidance:

Requiring multiple forms of identification, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries.

IA-4 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS

• FedRAMP Baseline Membership IA-4 (4):

• MODERATE
• HIGH

The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].

Supplemental Guidance:

Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

RELATED CONTROLS: IA-4 (4)

• AT-2 — AWARENESS AND TRAINING SECURITY | AWARENESS TRAINING

IA-4 (5) IDENTIFIER MANAGEMENT | DYNAMIC MANAGEMENT

The information system dynamically manages identifiers.

Supplemental Guidance:

In contrast to conventional approaches to identification which presume static accounts for preregistered users, many distributed information systems including, for example, service-oriented architectures, rely on establishing identifiers at run time for entities that were previously unknown. In these situations, organizations anticipate and provision for the dynamic establishment of identifiers. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.

RELATED CONTROLS: IA-4 (5)

• AC-16 — ACCESS CONTROL | SECURITY ATTRIBUTES

IA-4 (6) IDENTIFIER MANAGEMENT | CROSS-ORGANIZATION MANAGEMENT

The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.

Supplemental Guidance:

Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.

IA-4 (7) IDENTIFIER MANAGEMENT | IN-PERSON REGISTRATION

The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.

Supplemental Guidance:

In-person registration reduces the likelihood of fraudulent identifiers being issued because it requires the physical presence of individuals and actual face-to-face interactions with designated registration authorities.

REFERENCES:

• FIPS Publication 201
• NIST Special Publication 800-73
• NIST Special Publication 800-76
• NIST Special Publication 800-78