NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-8(2)Acceptance of External Authenticators

Accept only external authenticators that are NIST-compliant; and Document and maintain a list of accepted external authenticators.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

Practitioner Notes

This enhancement requires accepting external authenticators that meet defined assurance levels — trusting credentials from vetted external identity providers.

Example 1: Configure Azure AD External Identities to accept authentication from partner organizations' identity providers that meet NIST SP 800-63B AAL2 or higher.

Example 2: Accept Login.gov credentials from external users at the IAL2/AAL2 assurance level for accessing your citizen-facing applications.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts