NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-9Service Identification and Authentication

Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions.

Practitioner Notes

This control requires services (not just people and devices) to identify and authenticate themselves — when one system talks to another, they must verify each other's identity.

Example 1: Use mutual TLS (mTLS) between microservices so that each service presents a certificate and verifies the other service's identity before exchanging data.

Example 2: Implement OAuth 2.0 client credentials flow for service-to-service authentication, where each service has unique client ID and secret stored in Azure Key Vault.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts