This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
NIST 800-53 (r4) Supplemental Guidance:
Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.
Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14. Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk. Related Controls: AC-2, AC-6, AC-14, AC-17, AC-18, AU-6, IA-2, IA-4, IA-5, IA-10, IA-11, MA-4, RA3, SA-4, SC-8.
38North Guidance:
Meets Minimum Requirement:
Uniquely identify and authenticates non-organizational users (or processes acting on behalf of non-organizational users)
Best Practice:
Require all customers/external users to have unique user identifiers to access the FedRAMP boundary.
Implement a specific format to ensure each user ID is unique.
Ensure that customer/external user accounts have the same password complexity requirements as organizational users.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List of all accounts demonstrating uniqueness of user ID’s including differentiating between contractors, foreign nationals etc.
CSP Implementation Tips: TBD