Skip to content

Identification and Authentication

Identification and Authentication (Organizational Users)

IA-02

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf


Multi-factor Authentication to Privileged Accounts

IA-02(01)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(01)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for access to privileged accounts.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf


Multi-factor Authentication to Non-privileged Accounts

IA-02(02)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(02)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for access to non-privileged accounts.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf


Access to Accounts —separate Device

IA-02(06)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(06)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for [Selection: one or more of: local; network; remote] access to [Selection: one or more of: privileged accounts; non-privileged accounts] such that:

  • (a) One of the factors is provided by a device separate from the system gaining access; and
  • (b) The device meets [Assignment: organization-defined strength of mechanism requirements].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-02.06_odp.01 one or more of: local; network; remote local, network and remote
ia-02.06_odp.02 one or more of: privileged accounts; non-privileged accounts privileged accounts; non-privileged accounts

Access to Accounts — Replay Resistant

IA-02(08)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(08)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement replay-resistant authentication mechanisms for access to [Selection: one or more of: privileged accounts; non-privileged accounts].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-02.08_odp one or more of: privileged accounts; non-privileged accounts privileged accounts; non-privileged accounts

Identify User Status

IA-04(04)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-04(04)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristics].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-04.04_odp characteristics contractors; foreign nationals

Authenticator Management

IA-05

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-05
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Manage system authenticators by:

  • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
  • b. Establishing initial authenticator content for any authenticators issued by the organization;
  • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
  • e. Changing default authenticators prior to first use;
  • f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
  • g. Protecting authenticator content from unauthorized disclosure and modification;
  • h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
  • i. Changing authenticators for group or role accounts when membership to those accounts changes.

Authenticators must be compliant with the most recent NIST Digital Identity Guidelines IAL, AAL, FAL level 1.

IA-5 Guidance: FedRAMP requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Authenticators must be compliant with the most recent NIST Digital Identity Guidelines IAL, AAL, FAL level 2.

IA-5 Guidance: FedRAMP requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Authenticators must be compliant with the most recent NIST Digital Identity Guidelines IAL, AAL, FAL level 3.

IA-5 Guidance: FedRAMP requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).


Comments