IA-08 Identification and Authentication (Non-organizational Users)

Baselines

Guidance

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

References 7

• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• FED PKI General Services Administration, *Federal Public Key Infrastructure*.
• FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
• SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
• SP 800-79-2 Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2.
• SP 800-116 Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1.
• IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.

Control Enhancements 6

• IA-08(01) Acceptance of PIV Credentials from Other Agencies L M H P
• IA-08(02) Acceptance of External Authenticators L M H P
• IA-08(03) Use of FICAM-approved Products
• IA-08(04) Use of Defined Profiles L M H P
• IA-08(05) Acceptance of PIV-I Credentials L M H P
• IA-08(06) Disassociability L M H P

Related controls 16

• AC-02 Account Management L M H P
• AC-06 Least Privilege L M H P
• AC-14 Permitted Actions Without Identification or Authentication L M H P
• AC-17 Remote Access L M H P
• AC-18 Wireless Access L M H P
• AU-06 Audit Record Review, Analysis, and Reporting L M H P
• IA-02 Identification and Authentication (Organizational Users) L M H P
• IA-04 Identifier Management L M H P
• IA-05 Authenticator Management L M H P
• IA-10 Adaptive Authentication L M H P
• IA-11 Re-authentication L M H P
• IA-13 Identity Providers and Authorization Servers L M H P
• MA-04 Nonlocal Maintenance L M H P
• RA-03 Risk Assessment L M H P
• SA-04 Acquisition Process L M H P
• SC-08 Transmission Confidentiality and Integrity L M H P