← Controls / IA

IA-04 Identifier Management

Identification and Authentication

Low Moderate High

Description

The organization manages user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate organization official; (iv) issuing the user identifier to the intended party; (v) disabling the user identifier after [Assignment: organization-defined time period] of inactivity; and (vi) archiving user identifiers.

Supplemental Guidance

Identifier management is not applicable to shared information system accounts (e.g., guest and anonymous accounts). FIPS 201 and Special Publications 800-73, 800- 76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors.

Changes from Rev 4

Removed control step to disable the identifier and associated parameter

Enhancements

(0) None.

MITRE ATT&CK Techniques (36)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Execution 3 Persistence 6 Privilege Escalation 6 Defense Evasion 6 Credential Access 11 Lateral Movement 4 Collection 9 Exfiltration 1
Show all 36 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.5.16

ISO 27002:2022

5.16

COBIT 2019

DSS05

CIS Controls v8

CIS 5CIS 5.5CIS 6.6

NIST CSF 2.0

PR.AA-01PR.AA-02

SOC 2 TSC

CC6.1CC6.1-POF3CC6.1-POF4CC6.6CC6.6-POF2CC6.6-POF3

PCI DSS v4.0.1

8.2

CSA CCM v4

IAM-03IAM-06IAM-13

CSA AICM v1

IAM-03IAM-06IAM-13

FINOS CCC

CCC-C11

MAS TRM

9

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.11Hygiene.32Hygiene.6Hygiene.7SecNumCloud.10.2

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(b)Art.5(1)(f)

EU DORA

Art.9(4)(c)Art.9(4)(d)

BIO2

5.16

RBI CSF

Annex1.8ITGRCA.19

FISC Security Guidelines

FISC.T2

HKMA TM-E-1

TME1.8.1

MLPS 2.0

8.1.4.1

DNB Good Practice

DNB.17.1DNB.17.2

EU CRA

CRA.I.2d

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CTO-1

SA JS2

JS2-7.1

CBN CSF

Part3.2

BoG CISD

CISD-VIII

POPIA

s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.15II.C.7(b)

NYDFS 500

500.7

HIPAA Security Rule

§164.308(a)(3)(ii)(C)§164.308(a)(4)(ii)(C)§164.308(a)(5)(ii)(D)§164.312(a)(2)(i)§164.312(d)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

ACIA

DOE C2M2 v2.1

ACCESS

IAEA NSS 17-T

Sec 5.2

Common Criteria

CC Part 2 — FIA

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS8.3

NAIC Insurance Data Security

4-access4B

PRA SS1/23

P-IT.1

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.a02.c

FDA 21 CFR Part 11

§11.10(d)§11.100(a)§11.100(b)§11.200(a)(2)§11.300(a)§11.300(c)

FDA Cybersecurity Guidance

SA-1

ISO 27799

7.39.3

NHS DSPT

NDG-4.1NDG-4.2

MiCA

Art.63(2)

Basel SCO60

SCO60.62

ISO 17799 (legacy)

11.2.311.5.2

COBIT 4.1 (legacy)

DS5.3DS5.4