IAC-01: Identity & Access Management (IAM)
Mechanisms exist to facilitate the implementation of identification and access management controls.
Control Question: Does the organization facilitate the implementation of identification and access management controls?
General (56)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC6.1 CC6.1-POF3 CC6.1-POF7 CC6.1-POF8 CC6.1-POF9 CC6.6 CC6.6-POF2 CC6.6-POF3 |
| CIS CSC 8.1 | 4.7 5 5.6 6 6.6 |
| CIS CSC 8.1 IG2 | 5.6 6.7 |
| CIS CSC 8.1 IG3 | 5.6 6.7 |
| COBIT 2019 | DSS05.04 DSS06.03 |
| CSA CCM 4 | IAM-01 IAM-02 IAM-16 |
| CSA IoT SCF 2 | CLS-09 IAM-16 IAM-17 |
| ENISA 2.0 | SO11 |
| Generally Accepted Privacy Principles (GAPP) | 8.2.2 |
| GovRAMP Low | AC-01 IA-01 |
| GovRAMP Low+ | AC-01 IA-01 |
| GovRAMP Moderate | AC-01 IA-01 |
| GovRAMP High | AC-01 IA-01 |
| IEC TR 60601-4-5 2021 | 4.2 |
| IEC 62443-4-2 2019 | FR 1 (5.1) CR 1.3 (5.5.1) |
| ISO 27002 2022 | 5.15 5.18 |
| ISO 27017 2015 | 9.1 9.1.1 9.1.2 |
| ISO 27018 2014 | A.10.10 |
| MPA Content Security Program 5.1 | OR-3.1 TS-1.6 TS-1.7 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.D(2)(a) |
| NIST Privacy Framework 1.0 | PR.AC-P1 |
| NIST 800-53 R4 | AC-1 IA-1 |
| NIST 800-53 R4 (low) | AC-1 IA-1 |
| NIST 800-53 R4 (moderate) | AC-1 IA-1 |
| NIST 800-53 R4 (high) | AC-1 IA-1 |
| NIST 800-53 R5 (source) | AC-1 IA-1 |
| NIST 800-53B R5 (privacy) (source) | AC-1 |
| NIST 800-53B R5 (low) (source) | AC-1 IA-1 |
| NIST 800-53B R5 (moderate) (source) | AC-1 IA-1 |
| NIST 800-53B R5 (high) (source) | AC-1 IA-1 |
| NIST 800-82 R3 LOW OT Overlay | AC-1 IA-1 |
| NIST 800-82 R3 MODERATE OT Overlay | AC-1 IA-1 |
| NIST 800-82 R3 HIGH OT Overlay | AC-1 IA-1 |
| NIST 800-161 R1 | AC-1 IA-1 |
| NIST 800-161 R1 C-SCRM Baseline | AC-1 IA-1 |
| NIST 800-161 R1 Flow Down | AC-1 |
| NIST 800-161 R1 Level 1 | AC-1 IA-1 |
| NIST 800-161 R1 Level 2 | AC-1 IA-1 |
| NIST 800-161 R1 Level 3 | AC-1 IA-1 |
| NIST 800-171 R2 (source) | 3.1.1 NFO-AC-1 NFO-IA-1 |
| NIST 800-171 R3 (source) | 03.01.01.a 03.01.18.b 03.05.01.a 03.05.05.a 03.05.12.e |
| NIST 800-207 | NIST Tenet 6 |
| NIST CSF 2.0 (source) | PR.AA PR.AA-05 |
| OWASP Top 10 2021 | A01:2021 A07:2021 |
| PCI DSS 4.0.1 (source) | 7.1 7.2 7.2.1 7.3 7.3.1 7.3.2 7.3.3 8.1 8.2 8.3.3 8.3.8 8.5.1 8.6.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 8.3.3 8.3.8 8.5.1 8.6.1 |
| PCI DSS 4.0.1 SAQ C (source) | 8.3.3 8.3.8 8.5.1 8.6.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 7.2.1 7.3.1 7.3.2 7.3.3 8.3.3 8.3.8 8.5.1 8.6.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 7.2.1 7.3.1 7.3.2 7.3.3 8.3.3 8.3.8 8.5.1 8.6.1 |
| SWIFT CSF 2023 | 1.2 4.1 5.2 |
| TISAX ISA 6 | 4.1.1 |
| UL 2900-1 2017 | 8.1 8.6 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IAC-01 |
| SCF CORE ESP Level 1 Foundational | IAC-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | IAC-01 |
| SCF CORE ESP Level 3 Advanced Threats | IAC-01 |
US (46)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ACCESS-2.A.MIL1 ACCESS-2.C.MIL2 |
| US CERT RMM 1.2 | AM:SG1.SP1 HRM:SG4.SP2 ID:SG1.SP3 KIM:SG4.SP2 |
| US CISA CPG 2022 | 2.E 2.L |
| US CJIS Security Policy 5.9.3 (source) | AC-1 IA-1 |
| US CMMC 2.0 Level 1 (source) | AC.L1-B.1.I |
| US CMMC 2.0 Level 2 (source) | AC.L2-3.1.1 |
| US CMMC 2.0 Level 3 (source) | AC.L2-3.1.1 |
| US CMS MARS-E 2.0 | AC-1 IA-1 |
| US DoD Zero Trust Execution Roadmap | 1.1.1 1.2.4 1.2.5 1.5.2 1.5.3 1.5.4 1.9 |
| US DHS CISA TIC 3.0 | 3.PEP.WE.ACONT 3.PEP.NE.ACONT 3.PEP.DA.ACONT 3.PEP.SE.ACONT 3.PEP.ID.EIAMA |
| US DHS ZTCF | ACC-01 NTW-02 USR-01 |
| US FAR 52.204-21 | 52.204-21(b)(1)(i) |
| US FDA 21 CFR Part 11 | 11.10 11.10(d) 11.10(g) 11.100 11.100(a) 11.100(b) |
| US FedRAMP R4 | AC-1 IA-1 |
| US FedRAMP R4 (low) | AC-1 IA-1 |
| US FedRAMP R4 (moderate) | AC-1 IA-1 |
| US FedRAMP R4 (high) | AC-1 IA-1 |
| US FedRAMP R4 (LI-SaaS) | AC-1 IA-1 |
| US FedRAMP R5 (source) | AC-1 IA-1 |
| US FedRAMP R5 (low) (source) | AC-1 IA-1 |
| US FedRAMP R5 (moderate) (source) | AC-1 IA-1 |
| US FedRAMP R5 (high) (source) | AC-1 IA-1 |
| US FedRAMP R5 (LI-SaaS) (source) | AC-1 IA-1 |
| US GLBA CFR 314 2023 (source) | 314.4(c)(1) 314.4(c)(1)(i) 314.4(c)(1)(ii) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(3)(i) 164.308(a)(4)(i) 164.308(a)(4)(ii)(B) 164.310(a)(2)(iii) 164.312(a)(1) 164.530(c)(2)(ii) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(3)(i) 164.308(a)(4)(i) 164.308(a)(4)(ii)(B) 164.310(a)(2)(iii) 164.312(a)(1) |
| US HIPAA HICP Small Practice | 3.S.A |
| US HIPAA HICP Medium Practice | 9.M.C |
| US HIPAA HICP Large Practice | 9.M.C |
| US IRS 1075 | 2.E.6.2 AC-1 IA-1 |
| US ITAR Part 120 | 120.14 120.15 120.16 |
| US NERC CIP 2024 (source) | CIP-003-8 1.1.2 CIP-003-8 1.2.3 CIP-004-7 4.1.1 CIP-004-7 R4 CIP-004-7 R6 CIP-007-6 5.1 |
| US NISPOM 2020 | 8-101 8-606 8-607 |
| US NNPI (unclass) | 1.1 7.1 |
| US NSTC NSPM-33 | 6.6 |
| US SSA EIESR 8.0 | 5.3 5.6 |
| US TSA / DHS 1580/82-2022-01 | III.C |
| US - AK PIPA | 45.48.510 |
| US - CA SB327 | 1798.91.04(b) 1798.91.04(b)(1) 1798.91.04(b)(2) |
| US - CA CCPA 2025 | 7123(c)(1) 7123(c)(3) 7123(c)(3)(C) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.3(d) 500.7(a)(1) 500.7(b) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(C)(3) |
| US - TX DIR Control Standards 2.0 | AC-1 IA-1 |
| US - TX TX-RAMP Level 1 | AC-1 IA-1 |
| US - TX TX-RAMP Level 2 | AC-1 IA-1 |
| US - VT Act 171 of 2018 | 2447(b)(5) 2447(c)(1)(A)(iv) 2447(c)(1)(B) |
EMEA (21)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 9.4(d) |
| EMEA EU NIS2 | 21.2(i) 21.2(j) |
| EMEA EU NIS2 Annex | 11.1.1 11.1.2(a) 11.1.2(b) 11.1.2(c) 11.1.3 11.3.1 11.5.1 11.5.2(c) 11.6.4 |
| EMEA EU PSD2 | 4 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 6.1 6.2 |
| EMEA Germany C5 2020 | IDM-01 PSS-05 PSS-09 |
| EMEA Israel CDMO 1.0 | 4.1 4.8 4.34 4.37 12.15 12.28 12.29 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-2 2-2-1-5 |
| EMEA Saudi Arabia ECC-1 2018 | 2-2-1 2-2-2 2-2-4 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-2 2-2-1 |
| EMEA Saudi Arabia SACS-002 | TPC-10 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.3.5 |
| EMEA South Africa | 19 20 |
| EMEA Spain BOE-A-2022-7191 | 18 |
| EMEA Spain 311/2022 | 18 |
| EMEA Spain CCN-STIC 825 | 7.2.2 [OP.ACC.2] 7.2.4 [OP.ACC.4] |
| EMEA UK CAF 4.0 | B2 B2.d |
| EMEA UK Cyber Essentials | 2 |
| EMEA UK DEFSTAN 05-138 | 2200 2208 2210 |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1146 ISM-1546 |
| APAC China Cybersecurity Law | 40 |
| APAC India SEBI CSCRF | PR.AA.S1 PR.AA.S15 PR.AA.S6 |
| APAC Japan ISMAP | 9.1.1 |
| APAC New Zealand NZISM 3.6 | 16.1.31.C.01 |
| APAC Singapore Cyber Hygiene Practice | 4.1 |
| APAC Singapore MAS TRM 2021 | 9.1.2 9.1.3 9.1.8 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.6 |
| Americas Canada CSAG | 4.22 4.24 |
| Americas Canada OSFI B-13 | 3.2.7 |
| Americas Canada ITSP-10-171 | 03.01.01.A 03.01.18.B 03.05.01.A 03.05.05.A 03.05.12.E |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate the implementation of identification and access management controls.
Level 1 — Performed Informally
Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
- IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked
Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.
- Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
- IT personnel:
- Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
Level 3 — Well Defined
Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides). o Uses a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets configured to perform integrity checking and alert on unauthorized configuration changes.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for logical access control practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for logical access control.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to logical access control.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including logical access control.
- An IT Asset Management (ITAM) function, or similar function:
- An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
- The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
- Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
Level 4 — Quantitatively Controlled
Identification & Authentication (IAC) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of identification and access management controls.
Assessment Objectives
- IAC-01_A01 a capability to govern logical identification and access management controls is implemented.
- IAC-01_A02 the Identity & Access Management (IAM) program is organization-wide.
- IAC-01_A03 Identity and Access Management (IAM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
- IAC-01_A04 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Identity and Access Management (IAM) operations.
- IAC-01_A05 responsibility and authority for the performance of Identity and Access Management (IAM)-related activities are assigned to designated personnel.
- IAC-01_A06 personnel performing Identity and Access Management (IAM)-related activities have the skills and knowledge needed to perform their assigned duties.
Evidence Requirements
- E-AST-01 IT Asset Management (ITAM)
-
Documented evidence of an IT Asset Management (ITAM) program that addresses the due diligence and due care activities associated with maintaining both secure and compliant systems, applications and services.
Asset Management - E-IAM-05 Identity & Access Management (IAM) Function
-
Documented evidence of an Identity & Access Management (IAM), or similar function, that facilitates the implementation of identification and access management controls.
Identity & Access Management - E-IAM-12 Account Management Documentation
-
Documented evidence of list of account management practices.
Identity & Access Management
Technology Recommendations
Medium
- Identity & Access Management (IAM) program
Large
- Identity & Access Management (IAM) program
Enterprise
- Identity & Access Management (IAM) program