NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-13Identity Providers and Authorization Servers

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_odp.01 }} using {{ insert: param, ia-13_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.

Practitioner Notes

This control addresses the management and security of identity providers and authorization servers — the systems that issue and validate identity assertions and access tokens.

Example 1: Harden your Azure AD (Entra ID) tenant by enabling security defaults, requiring MFA for all admins, and regularly reviewing app registrations and service principals.

Example 2: If running an on-premises ADFS or Keycloak identity provider, apply all security patches promptly, restrict admin access, and monitor for suspicious authentication patterns.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts