Skip to main content

IAC-02: Identification & Authentication for Organizational Users

IAC 9 — Critical Protect

Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.

Control Question: Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users?

General (52)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1 CC6.1-POF3 CC6.1-POF4 CC6.1-POF8
CIS CSC 8.1 5.5 5.6 6.7 12.5
CIS CSC 8.1 IG2 5.5 5.6 6.7 12.5
CIS CSC 8.1 IG3 5.5 5.6 6.7 12.5
COBIT 2019 DSS05.04
CSA CCM 4 IAM-13 IAM-16
GovRAMP Core IA-02
GovRAMP Low IA-02
GovRAMP Low+ IA-02
GovRAMP Moderate IA-02
GovRAMP High IA-02
IEC 62443-4-2 2019 CR 1.1 (5.3.1) CR 1.1 (5.3.3(1))
ISO 27002 2022 5.15
ISO 27018 2014 A.10.10
MITRE ATT&CK 10 T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1036.007, T1040, T1047, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1053.007, T1055, T1055.008, T1056.003, T1059, T1059.001, T1059.008, T1072, T1078, T1078.002, T1078.003, T1078.004, T1087.004, T1098, T1098.001, T1098.002, T1098.003, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1111, T1114, T1114.002, T1133, T1134, T1134.001, T1134.002, T1134.003, T1136, T1136.001, T1136.002, T1136.003, T1185, T1190, T1197, T1210, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.007, T1222, T1222.001, T1222.002, T1484, T1489, T1495, T1505, T1505.002, T1505.004, T1525, T1528, T1530, T1537, T1538, T1539, T1542, T1542.001, T1542.003, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546.003, T1547.004, T1547.006, T1547.009, T1547.012, T1547.013, T1548, T1548.002, T1548.003, T1550, T1550.001, T1550.002, T1550.003, T1552, T1552.001, T1552.002, T1552.004, T1552.006, T1552.007, T1555.005, T1556, T1556.001, T1556.003, T1556.004, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1563, T1563.001, T1563.002, T1569, T1569.001, T1569.002, T1574, T1574.005, T1574.010, T1574.012, T1578, T1578.001, T1578.002, T1578.003, T1580, T1599, T1599.001, T1601, T1601.001, T1601.002, T1610, T1611, T1613, T1619
MPA Content Security Program 5.1 TS-1.6
NIST Privacy Framework 1.0 PR.AC-P1 PR.AC-P6
NIST 800-53 R4 IA-2
NIST 800-53 R4 (low) IA-2
NIST 800-53 R4 (moderate) IA-2
NIST 800-53 R4 (high) IA-2
NIST 800-53 R5 (source) IA-2
NIST 800-53B R5 (low) (source) IA-2
NIST 800-53B R5 (moderate) (source) IA-2
NIST 800-53B R5 (high) (source) IA-2
NIST 800-82 R3 LOW OT Overlay IA-2
NIST 800-82 R3 MODERATE OT Overlay IA-2
NIST 800-82 R3 HIGH OT Overlay IA-2
NIST 800-161 R1 IA-2
NIST 800-161 R1 C-SCRM Baseline IA-2
NIST 800-161 R1 Flow Down IA-2
NIST 800-161 R1 Level 1 IA-2
NIST 800-161 R1 Level 2 IA-2
NIST 800-161 R1 Level 3 IA-2
NIST 800-171 R2 (source) 3.1.1 3.5.1 3.5.2
NIST 800-171A (source) 3.5.1[a] 3.5.1[b] 3.5.1[c] 3.5.2[a] 3.5.2[b] 3.5.2[c]
NIST 800-171 R3 (source) 03.05.01.a 03.05.05.d
NIST 800-171A R3 (source) A.03.05.01.a[03]
NIST 800-207 NIST Tenet 3
NIST CSF 2.0 (source) PR.AA-01 PR.AA-03 PR.AA-05
PCI DSS 4.0.1 (source) 7.1 7.2 7.2.1 7.3 7.3.1 7.3.2 7.3.3 8.1 8.2 8.3 8.3.3 8.3.9
PCI DSS 4.0.1 SAQ A (source) 8.3.9
PCI DSS 4.0.1 SAQ A-EP (source) 8.3.3 8.3.9
PCI DSS 4.0.1 SAQ C (source) 8.3.3 8.3.9
PCI DSS 4.0.1 SAQ D Merchant (source) 7.2.1 7.3.1 7.3.2 7.3.3 8.3.3 8.3.9
PCI DSS 4.0.1 SAQ D Service Provider (source) 7.2.1 7.3.1 7.3.2 7.3.3 8.3.3 8.3.9
SPARTA CM0031
TISAX ISA 6 4.1.2 4.1.3
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-02
SCF CORE ESP Level 1 Foundational IAC-02
SCF CORE ESP Level 2 Critical Infrastructure IAC-02
SCF CORE ESP Level 3 Advanced Threats IAC-02
US (33)
Framework Mapping Values
US CERT RMM 1.2 AM:SG1.SP1 ID:SG1.SP1 ID:SG1.SP2 ID:SG1.SP3 TM:SG4.SP4
US CJIS Security Policy 5.9.3 (source) IA-2
US CMMC 2.0 Level 1 (source) AC.L1-B.1.I IA.L1-B.1.V IA.L1-B.1.VI
US CMMC 2.0 Level 1 AOs (source) IA.L1-B.1.V[a] IA.L1-B.1.V[c] IA.L1-B.1.VI[a] IA.L1-B.1.VI[b] IA.L1-B.1.VI[c]
US CMMC 2.0 Level 2 (source) AC.L2-3.1.1 IA.L2-3.5.1 IA.L2-3.5.2
US CMMC 2.0 Level 3 (source) AC.L2-3.1.1 IA.L2-3.5.1 IA.L2-3.5.2
US CMS MARS-E 2.0 IA-2
US DHS ZTCF ACC-01 USR-01 USR-03
US FAR 52.204-21 52.204-21(b)(1)(i) 52.204-21(b)(1)(v) 52.204-21(b)(1)(vi)
US FDA 21 CFR Part 11 11.10 11.10(d) 11.10(g)
US FedRAMP R4 IA-2
US FedRAMP R4 (low) IA-2
US FedRAMP R4 (moderate) IA-2
US FedRAMP R4 (high) IA-2
US FedRAMP R4 (LI-SaaS) IA-2
US FedRAMP R5 (source) IA-2
US FedRAMP R5 (low) (source) IA-2
US FedRAMP R5 (moderate) (source) IA-2
US FedRAMP R5 (high) (source) IA-2
US FedRAMP R5 (LI-SaaS) (source) IA-2
US HIPAA Administrative Simplification 2013 (source) 164.312(a)(2)(i)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(a)(2)(i)
US IRS 1075 IA-2
US ITAR Part 120 120.14 120.15 120.16
US NISPOM 2020 8-607
US NNPI (unclass) 7.1
US NSTC NSPM-33 6.6 6.7
US SSA EIESR 8.0 5.3
US - CA CCPA 2025 7123(c)(3)(A)(i)
US - TX DIR Control Standards 2.0 IA-2
US - TX TX-RAMP Level 1 IA-2
US - TX TX-RAMP Level 2 IA-2
US - VT Act 171 of 2018 2447(c)(1)(A)(iv)
EMEA (10)
Framework Mapping Values
EMEA EU NIS2 Annex 11.5.2(a)
EMEA Germany C5 2020 IDM-01 PSS-05 PSS-09
EMEA Israel CDMO 1.0 4.2 4.31 4.34
EMEA Saudi Arabia ECC-1 2018 2-2-3
EMEA Saudi Arabia SACS-002 TPC-32
EMEA Spain BOE-A-2022-7191 24.3
EMEA Spain 311/2022 24.3
EMEA UK CAF 4.0 B2.a
EMEA UK Cyber Essentials 2
EMEA UK DEFSTAN 05-138 2218
APAC (3)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0414 ISM-0415 ISM-1546
APAC New Zealand NZISM 3.6 16.1.32.C.01
APAC New Zealand Privacy Act of 2020 Principle 13 P13-(1) P13-(2) P13-(2)(a) P13-(2)(b) P13-(3) P13-(4)(a) P13-(4)(b) P13-(5)
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.05.01.a 03.05.05.d

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.

Assessment Objectives

  1. IAC-02_A01 system, application and service users are identified.
  2. IAC-02_A02 the identity of each user is authenticated or verified as a prerequisite to system access.
  3. IAC-02_A03 processes acting on behalf of users are associated with uniquely identified and authenticated system users.
  4. IAC-02_A04 the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
  5. IAC-02_A05 the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
  6. IAC-02_A06 the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
  7. IAC-02_A07 devices accessing the system are identified.
  8. IAC-02_A08 individual identifiers are managed by uniquely identifying each individual as <A.03.05.05.ODP[02]: characteristic>.

Evidence Requirements

E-IAM-05 Identity & Access Management (IAM) Function

Documented evidence of an Identity & Access Management (IAM), or similar function, that facilitates the implementation of identification and access management controls.

Identity & Access Management
E-IAM-06 Authenticate, Authorize and Audit (AAA) Solution

Documented evidence of an Authenticate, Authorize and Audit (AAA) solution (on-premises and hosted by External Service Providers (ESP)).

Identity & Access Management
E-IAM-13 Authenticator Types

Documented evidence of system authenticator types.

Asset Management

Technology Recommendations

Micro/Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Medium

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Large

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Enterprise

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free