CCI-005155

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with organization-defined identification and authentication policy using organization-defined mechanisms.

Implementation Guidance

​Determine if:-- identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with [IA-13_ODP[01]; identification and authentication policy is defined] using [IA-13_ODP[02]; mechanisms supporting authentication and authorization decisions are defined];- identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with [IA-13_ODP[01]; identification and authentication policy is defined] using [IA-13_ODP[02]; mechanisms supporting authentication and authorization decisions are defined];- authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with [IA-13_ODP[01]; identification and authentication policy is defined] using [IA-13_ODP[02]; mechanisms supporting authentication and authorization decisions are defined]; and- authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with [IA-13_ODP[01]; identification and authentication policy is defined] using [IA-13_ODP[02]; mechanisms supporting authentication and authorization decisions are defined].

Validation Procedures

Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user and device identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with account management responsibilities; system developers]. Test: [SELECT FROM: Mechanisms supporting and/or implementing identification and authentication capabilities and access rights].

The controls below (if any) were marked by NIST as being related to CCI-005155.