NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-4(8)Pairwise Pseudonymous Identifiers

Generate pairwise pseudonymous identifiers.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an identity provider for use at a specific individual relying party. Generating distinct pairwise pseudonymous identifiers with no identifying information about a subscriber discourages subscriber activity tracking and profiling beyond the operational requirements established by an organization. The pairwise pseudonymous identifiers are unique to each relying party except in situations where relying parties can show a demonstrable relationship justifying an operational need for correlation, or all parties consent to being correlated in such a manner.

Practitioner Notes

This enhancement requires the use of pairwise pseudonymous identifiers — unique identifiers that are different for each relationship, preventing tracking across services.

Example 1: When integrating with external services, use OIDC pairwise subject identifiers so that each service receives a different identifier for the same user, preventing cross-service tracking.

Example 2: Configure your identity provider to issue pairwise pseudonymous IDs for privacy-sensitive applications, ensuring user identifiers cannot be correlated between applications.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts