Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization manages information system identifiers by:
a. Receiving authorization from [FedRAMP Assignment: (H) at a minimum, the ISSO (or similar role within the organization)] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [FedRAMP Assignment: (L)(M)(H) At least two years].
e. Disabling the identifier after [FedRAMP Assignment: (H) thirty-five (35) days; (M)(L) ninety days (90) for user identifiers].
Additional FedRAMP Requirements and Guidance: The service provider defines a time period of inactivity for device identifiers. Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/]
NIST 800-53 (r4) Supplemental Guidance:
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37.
References: FIPS Publication 201; NIST Special Publications 800-73, 800-76, 800-78.
NIST 800-53 (r5) Discussion:
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices. Related Controls: AC-5, IA-2, IA-3, IA-5, IA-8, IA-9, IA-12, MA-4, PE-2, PE-3, PE-4, PL-4, PM-12, PS3, PS-4, PS-5, SC-37.
38North Guidance:
Meets Minimum Requirement:
IA-4.a.2 - Manages information system identifiers by:
Receiving authorization from organization-defined personnel or roles to assign:
An individual identifier;
A group identifier;
A role identifier; and/or
A device identifier
IA-4.b - Manages information system identifiers by:
selecting an identifier that identifies:
An individual;
A group;
A role; and/or
A device
IA-4.c - Manages information system identifiers by:
assigning an identifier that identifies:
An individual;
A group;
A role; and/or
A device
IA-4.d.2 - Manages information system identifiers by:
Preventing reuse of identifiers for the organization-defined time period
IA-4.e.2 - Manages information system identifiers by:
Disabling the identifier after the organization-defined time period of inactivity.
Best Practice:
Manage ID’s for all internal users including obtaining authorization, selecting a user ID, and assigning it.
Consistent format for each type of user ID.
Ticketing system to document account approval process to meet the automated mechanism requirement.
Prevent the reuse of ID’s and the length of time before the reuse of an ID.
Disable inactive identifiers after 35 days or less of inactivity.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Listing/Inventory of account IDs that demonstrate user IDs in use and a list of disabled ID’s to compare if any reuse is being conducted.
Tickets demonstrating the account approval process.
Listing of all MFA tokens in use that demonstrate a unique serial number for each token.
SIEM tool report of all accounts disabled after 35 days or less of inactivity.
Script or GPO setting demonstrating that accounts are disabled after 35 days or less of inactivity.
CSP Implementation Tips: TBD
Page updated
Report abuse