Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system accepts only FICAM-approved third-party credentials.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels. Related control: AU-2.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B]. Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level. Related Controls: None.
38North Guidance:
Meets Minimum Requirement:
Accepts only FICAM-approved third-party credentials
Best Practice:
Implement the capability to only allow approved FICAM approved third-party credentials such as CAC/PIV for customers accessing the system/application being offered in the FedRAMP environment.
U.S. Government FICAM Solution guidance.
U.S. General Services Administration guidance.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of system/application configurations that demonstrate the capability that customers can support FICAM credentials.
CSP Implementation Tips: TBD
Page updated
Report abuse