NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-13(2)Verification of Identity Assertions and Access Tokens

The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs.

Practitioner Notes

This enhancement requires verifying the authenticity and integrity of identity assertions and access tokens — ensuring they have not been forged or tampered with.

Example 1: Configure all your applications to validate JWT signatures against the identity provider's published signing keys before accepting access tokens or ID tokens.

Example 2: Implement token audience validation in your APIs to ensure that access tokens were issued specifically for your application and not replayed from another service.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts