NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(8)Multiple System Accounts

Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts.

Practitioner Notes

This enhancement addresses users who have accounts on multiple systems — ensuring they use different authenticators for different systems to limit the blast radius of a compromised credential.

Example 1: Require administrators to use different passwords for their standard user account, their admin account, and any cloud admin accounts — enforced through separate password policies.

Example 2: Use CyberArk or Azure PIM to manage privileged credentials separately from standard credentials, with automatic password rotation for admin accounts.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts