NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-13(3)Token Management

In accordance with {{ insert: param, ia-13_odp.01 }}, assertions and access tokens are: generated; issued; refreshed; revoked; time-restricted; and audience-restricted.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens.

Practitioner Notes

This enhancement addresses token management — controlling the lifecycle of access tokens, refresh tokens, and other security tokens issued by your identity infrastructure.

Example 1: Configure Azure AD token lifetime policies to limit access tokens to 1 hour and refresh tokens to 24 hours, forcing periodic re-authentication.

Example 2: Implement token revocation capabilities in your identity provider so that when a user's access is terminated, their outstanding tokens can be immediately invalidated rather than waiting for natural expiration.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts