03.05.05: Identifier Management

Control Familly: Identification and Authentication

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-63-3 [27]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.05.05

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • IA-04

  • IA-04(04)

a. Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier.

b. Select and assign an identifier that identifies an individual, group, role, service, or device.

c. Prevent the reuse of identifiers for [Assignment: organization-defined time period].

d. Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].

Discussion:

Identifiers are provided for users, processes acting on behalf of users, and devices. Prohibiting the reuse of identifiers prevents the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides information about the people with whom organizational personnel are communicating. For example, it is useful for an employee to know that one of the individuals on an email message is a contractor.

Assessment Methods and Objectives

Examine [SELECT FROM: identification and authentication policy and procedures; procedures for identifier management; procedures for account management; system design documentation; list of system accounts; list of characteristics identifying individual status; system configuration settings; list of identifiers generated from physical access control devices; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with identifier management responsibilities; personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: mechanisms for supporting or implementing identifier management]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.05.05.ODP[01]: the time period for preventing the reuse of identifiers is defined.

A.03.05.05.ODP[02]: characteristics used to identify individual status are defined.

A.03.05.05.a: authorization is received from organizational personnel or roles to assign an individual, group, role, service, or device identifier. A.03.05.05.b[01]: an identifier that identifies an individual, group, role, service, or device is selected.

A.03.05.05.b[02]: an identifier that identifies an individual, group, role, service, or device is assigned.

A.03.05.05.c: the reuse of identifiers for <A.03.05.05.ODP[01]: time period> is prevented.

A.03.05.05.d: individual identifiers are managed by uniquely identifying each individual as <A.03.05.05.ODP[02]: characteristic>.