Skip to Content

Identifier Management IA-4

700  Matthew Burdick September 30, 2022  Identification and Authentication (IA)

Overview:
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].


Supplemental Guidance:
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.


Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37.


Action Items:
1) Ensure identifiers are managed properly

 

Related Documents:
1) Identity and Access Management Policy


Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
IA-4 (d) [at least two years]
IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)


Moderate Additional FedRAMP Requirements and Guidance
IA-4 (e) Requirement: The service provider defines time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP
http://iase.disa.mil/cloud_security/Pages/index.aspx
Not Rated
Secure Code