NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-8(6)Disassociability

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: {{ insert: param, ia-08.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks.

Practitioner Notes

This enhancement requires disassociability — the ability to authenticate external users without unnecessarily linking their activities across different interactions or systems.

Example 1: Use pairwise pseudonymous identifiers for external users so that their activity on one application cannot be correlated with their activity on another.

Example 2: Configure your OIDC identity provider to issue different subject identifiers to different relying parties for the same external user, preserving privacy.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts