Navigate

IA-8(3)

IA-8(3): Use of Ficam-approved Products

The organization employs only FICAM-approved information system components in [organization-defined information systems] to accept third-party credentials.

Supplemental

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to IA-8(3).

Control	Description
SA-4	The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a: Security functional requirements; b: Security strength requirements; c: Security assurance requirements; d: Security-related documentation requirements; e: Requirements for protecting security-related documentation; f: Description of the information system development environment and environment in which the system is intended to operate; and g: Acceptance criteria.

Control

Description

SA-4

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

a: Security functional requirements;

b: Security strength requirements;

c: Security assurance requirements;

d: Security-related documentation requirements;

e: Requirements for protecting security-related documentation;

f: Description of the information system development environment and environment in which the system is intended to operate; and

g: Acceptance criteria.

Enhancements

The controls below (if any) add on to the requirements of IA-8(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-8(3).

CCI	Definition
CCI-002012	The organization defines the information systems which will employ only FICAM-approved information system components.
CCI-002013	The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.