Skip to main content
IAC

Identification & Authentication

112 controls

Enforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability.

SCF # Control Name Weight NIST CSF Frameworks
IAC-01 Identity & Access Management (IAM) 10 — Critical Govern 134
IAC-01.1 Retain Access Records 3 — Low Protect 3
IAC-01.2 Authenticate, Authorize and Audit (AAA) 9 — Critical Protect 35
IAC-01.3 User & Service Account Inventories 10 — Critical Identify 10
IAC-02 Identification & Authentication for Organizational Users 9 — Critical Protect 99
IAC-02.1 Group Authentication 7 — High Protect 29
IAC-02.2 Replay-Resistant Authentication 9 — Critical Protect 48
IAC-02.3 Acceptance of PIV Credentials 2 — Low Protect 30
IAC-02.4 Out-of-Band Authentication (OOBA) 5 — Medium Protect 5
IAC-03 Identification & Authentication for Non-Organizational Users 9 — Critical Protect 73
IAC-03.1 Acceptance of PIV Credentials from Other Organizations 2 — Low Protect 24
IAC-03.2 Acceptance of Third-Party Credentials 2 — Low Protect 25
IAC-03.3 Use of FICAM-Issued Profiles 2 — Low Protect 25
IAC-03.4 Disassociability 2 — Low Protect 2
IAC-03.5 Acceptance of External Authenticators 4 — Medium Protect 8
IAC-04 Identification & Authentication for Devices 9 — Critical Protect 70
IAC-04.1 Device Attestation 5 — Medium Protect 3
IAC-04.2 Device Authorization Enforcement 5 — Medium Protect 1
IAC-05 Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS) 9 — Critical Protect 39
IAC-05.1 Sharing Identification & Authentication Information 5 — Medium Protect 6
IAC-05.2 Privileged Access by Non-Organizational Users 9 — Critical Protect 10
IAC-06 Multi-Factor Authentication (MFA) 9 — Critical Protect 86
IAC-06.1 Network Access to Privileged Accounts 9 — Critical Protect 63
IAC-06.2 Network Access to Non-Privileged Accounts 7 — High Protect 52
IAC-06.3 Local Access to Privileged Accounts 5 — Medium Protect 48
IAC-06.4 Out-of-Band Multi-Factor Authentication 5 — Medium Protect 30
IAC-06.5 Alternative Multi-Factor Authentication 5 — Medium Protect 1
IAC-07 User Provisioning & De-Provisioning 10 — Critical Protect 59
IAC-07.1 Change of Roles & Duties 10 — Critical Protect 35
IAC-07.2 Termination of Employment 10 — Critical Protect 55
IAC-08 Role-Based Access Control (RBAC) 9 — Critical Protect 96
IAC-09 Identifier Management (User Names) 9 — Critical Protect 73
IAC-09.1 User Identity (ID) Management 9 — Critical Protect 42
IAC-09.2 Identity User Status 7 — High Protect 26
IAC-09.3 Dynamic Management 5 — Medium Protect 18
IAC-09.4 Cross-Organization Management 5 — Medium Protect 9
IAC-09.5 Privileged Account Identifiers 9 — Critical Protect 18
IAC-09.6 Pairwise Pseudonymous Identifiers (PPID) 1 — Low Protect 9
IAC-10 Authenticator Management 10 — Critical Protect 102
IAC-10.1 Password-Based Authentication 9 — Critical Protect 88
IAC-10.2 PKI-Based Authentication 9 — Critical Protect 36
IAC-10.3 In-Person or Trusted Third-Party Registration 9 — Critical Protect 19
IAC-10.4 Automated Support For Password Strength 5 — Medium Protect 38
IAC-10.5 Protection of Authenticators 10 — Critical Protect 51
IAC-10.6 No Embedded Unencrypted Static Authenticators 10 — Critical Protect 29
IAC-10.7 Hardware Token-Based Authentication 9 — Critical Protect 32
IAC-10.8 Default Authenticators 10 — Critical Protect 77
IAC-10.9 Multiple System Accounts 5 — Medium Protect 4
IAC-10.10 Expiration of Cached Authenticators 5 — Medium Protect 8
IAC-10.11 Password Managers 8 — High Protect 20
IAC-10.12 Biometric Authentication 5 — Medium Protect 5
IAC-10.13 Events Requiring Authenticator Change 9 — Critical Protect 1
IAC-10.14 Passkeys 8 — High Protect 1
IAC-11 Authenticator Feedback 6 — Medium Protect 48
IAC-12 Cryptographic Module Authentication 8 — High Protect 39
IAC-12.1 Hardware Security Modules (HSM) 3 — Low Protect 2
IAC-13 Adaptive Identification & Authentication 5 — Medium Protect 12
IAC-13.1 Single Sign-On (SSO) Transparent Authentication 5 — Medium Protect 4
IAC-13.2 Federated Credential Management 4 — Medium Protect 8
IAC-13.3 Continuous Authentication 2 — Low Protect 7
IAC-14 Re-Authentication 8 — High Protect 33
IAC-15 Account Management 10 — Critical Protect 88
IAC-15.1 Automated System Account Management (Directory Services) 5 — Medium Protect 39
IAC-15.2 Removal of Temporary / Emergency Accounts 9 — Critical Protect 27
IAC-15.3 Disable Inactive Accounts 10 — Critical Protect 49
IAC-15.4 Automated Audit Actions 5 — Medium Protect 20
IAC-15.5 Restrictions on Shared Groups / Accounts 10 — Critical Protect 33
IAC-15.6 Account Disabling for High Risk Individuals 10 — Critical Protect 23
IAC-15.7 System Account Reviews 10 — Critical Protect 16
IAC-15.8 Usage Conditions 5 — Medium Protect 12
IAC-15.9 Emergency Accounts 5 — Medium Respond 6
IAC-16 Privileged Account Management (PAM) 10 — Critical Protect 56
IAC-16.1 Privileged Account Inventories 10 — Critical Protect 23
IAC-16.2 Privileged Account Separation 4 — Medium Protect 2
IAC-16.3 Privileged Command Execution 5 — Medium Protect 1
IAC-16.4 Dedicated Privileged Account 7 — High Protect 2
IAC-17 Periodic Review of Account Privileges 10 — Critical Detect 51
IAC-18 User Responsibilities for Account Management 10 — Critical Protect 24
IAC-19 Credential Sharing 10 — Critical Protect 10
IAC-20 Access Enforcement 10 — Critical Protect 74
IAC-20.1 Access To Sensitive / Regulated Data 10 — Critical Protect 19
IAC-20.2 Database Access 10 — Critical Protect 7
IAC-20.3 Use of Privileged Utility Programs 9 — Critical Protect 16
IAC-20.4 Dedicated Administrative Machines 8 — High Protect 8
IAC-20.5 Dual Authorization for Privileged Commands 5 — Medium Protect 5
IAC-20.6 Revocation of Access Authorizations 9 — Critical Protect 13
IAC-20.7 Authorized System Accounts 9 — Critical Protect 0
IAC-21 Least Privilege 10 — Critical Protect 104
IAC-21.1 Authorize Access to Security Functions 9 — Critical Protect 26
IAC-21.2 Non-Privileged Access for Non-Security Functions 9 — Critical Protect 40
IAC-21.3 Management Approval For Privileged Accounts 10 — Critical Protect 40
IAC-21.4 Auditing Use of Privileged Functions 9 — Critical Detect 37
IAC-21.5 Prohibit Non-Privileged Users from Executing Privileged Functions 9 — Critical Protect 34
IAC-21.6 Network Access to Privileged Commands 5 — Medium Protect 10
IAC-21.7 Privilege Levels for Code Execution 5 — Medium Protect 9
IAC-22 Account Lockout 9 — Critical Protect 66
IAC-23 Concurrent Session Control 6 — Medium Protect 21
IAC-24 Session Lock 9 — Critical Protect 55
IAC-24.1 Pattern-Hiding Displays 9 — Critical Protect 33
IAC-25 Session Termination 9 — Critical Protect 52
IAC-25.1 User-Initiated Logouts / Message Displays 5 — Medium Protect 7
IAC-26 Permitted Actions Without Identification or Authorization 8 — High Protect 36
IAC-27 Reference Monitor 1 — Low Protect 4
IAC-28 Identity Proofing (Identity Verification) 10 — Critical Protect 26
IAC-28.1 Management Approval For New or Changed Accounts 10 — Critical Detect 27
IAC-28.2 Identity Evidence 5 — Medium Protect 13
IAC-28.3 Identity Evidence Validation & Verification 5 — Medium Protect 13
IAC-28.4 In-Person Validation & Verification 5 — Medium Protect 11
IAC-28.5 Address Confirmation 1 — Low Protect 10
IAC-29 Attribute-Based Access Control (ABAC) 5 — Medium Identify 2
IAC-29.1 Real-Time Access Decisions 3 — Low Protect 1
IAC-29.2 Access Profile Rules 5 — Medium Protect 1

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free