NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-8(4)Use of Defined Profiles

Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

Practitioner Notes

This enhancement requires using defined identity assurance profiles for authenticating non-organizational users — aligning with NIST SP 800-63 assurance levels.

Example 1: Define in your system security plan that external users must authenticate at NIST SP 800-63B AAL2 (MFA required) for access to sensitive but unclassified data.

Example 2: Configure your identity provider to enforce different authentication requirements based on risk: AAL1 for public information, AAL2 for CUI, AAL3 for high-value assets.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts