CCI-005157

The private keys used to sign assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed.

Implementation Guidance

​Determine if:- the source of identity assertions is verified before granting access to system and information resources;- the integrity of identity assertions is verified before granting access to system and information resources;- the source of access tokens is verified before granting access to system and information resources; and- the integrity of access tokens is verified before granting access to system and information resources.

Validation Procedures

Examine: [SELECT FROM: Identification and authentication policy; system security plan; system design documentation; system configuration settings and associated documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/ network administrators; organizational personnel with account management responsibilities; system developers]. Test: [SELECT FROM: Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights].

The controls below (if any) were marked by NIST as being related to CCI-005157.