Navigate

IA-8

IA-8: Identification and Authentication (Non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Supplemental

Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
DAF Baseline, Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.AC-1, PR.AC-6, PR.AC-7

Related Controls

The controls below (if any) were marked by NIST as being related to IA-8.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-14	a: Identify [user actions that can be performed on the system without identification or authentication are defined;] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b: Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-17	a: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b: Authorize each type of remote access to the system prior to allowing such connections.
AC-18	a: Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b: Authorize each type of wireless access to the system prior to allowing such connections.
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
IA-2	Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-4	Manage system identifiers by: a: Receiving authorization from [personnel or roles from whom authorization must be received to assign an identifier are defined;] to assign an individual, group, role, service, or device identifier; b: Selecting an identifier that identifies an individual, group, role, service, or device; c: Assigning the identifier to the intended individual, group, role, service, or device; and d: Preventing reuse of identifiers for [a time period for preventing reuse of identifiers is defined;].
IA-5	Manage system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b: Establishing initial authenticator content for any authenticators issued by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e: Changing default authenticators prior to first use; f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur; g: Protecting authenticator content from unauthorized disclosure and modification; h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i: Changing authenticators for group or role accounts when membership to those accounts changes.
IA-10	Require individuals accessing the system to employ [supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;] under specific [circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;].
IA-11	Require users to re-authenticate when [circumstances or situations requiring re-authentication are defined;].
IA-13	Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with [identification and authentication policy is defined;] using [mechanisms supporting authentication and authorization decisions are defined;].
MA-4	a: Approve and monitor nonlocal maintenance and diagnostic activities; b: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d: Maintain records for nonlocal maintenance and diagnostic activities; and e: Terminate session and network connections when nonlocal maintenance is completed.
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
SA-4	Include the following requirements, descriptions, and criteria, explicitly or by reference, using [one or more of "standardized contract language"/"{{ insert: param, sa-04_odp.02 }} "] in the acquisition contract for the system, system component, or system service: a: Security and privacy functional requirements; b: Strength of mechanism requirements; c: Security and privacy assurance requirements; d: Controls needed to satisfy the security and privacy requirements. e: Security and privacy documentation requirements; f: Requirements for protecting security and privacy documentation; g: Description of the system development environment and environment in which the system is intended to operate; h: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i: Acceptance criteria.
SC-8	Protect the [one or more of "confidentiality"/"integrity"] of transmitted information.

Enhancements

The controls below (if any) add on to the requirements of IA-8.

Control	Description
IA-8(1)	Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
IA-8(2)	(a): Accept only external authenticators that are NIST-compliant; and (b): Document and maintain a list of accepted external authenticators.
IA-8(3)
IA-8(4)	Conform to the following profiles for identity management [identity management profiles are defined;].
IA-8(5)	Accept and verify federated or PKI credentials that meet [a policy for using federated or PKI credentials is defined;].
IA-8(6)	Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [disassociability measures are defined;].

Related CCIs

The CCIs below are tied to IA-8.

CCI	Definition
CCI-000804	Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.