Skip to content

Identification and Authentication

Identification and Authentication (Organizational Users)

IA-02

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Multi-factor Authentication to Privileged Accounts

IA-02(01)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(01)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for access to privileged accounts.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Multi-factor Authentication to Non-privileged Accounts

IA-02(02)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(02)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for access to non-privileged accounts.

FedRAMP Guidance

Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Access to Accounts —separate Device

IA-02(06)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(06)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement multi-factor authentication for [Selection: one or more of: local; network; remote] access to [Selection: one or more of: privileged accounts; non-privileged accounts] such that:

  • (a) One of the factors is provided by a device separate from the system gaining access; and
  • (b) The device meets [Assignment: organization-defined strength of mechanism requirements].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-02.06_odp.01 one or more of: local; network; remote local, network and remote
ia-02.06_odp.02 one or more of: privileged accounts; non-privileged accounts privileged accounts; non-privileged accounts

Access to Accounts — Replay Resistant

IA-02(08)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-02(08)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Implement replay-resistant authentication mechanisms for access to [Selection: one or more of: privileged accounts; non-privileged accounts].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-02.08_odp one or more of: privileged accounts; non-privileged accounts privileged accounts; non-privileged accounts

Identify User Status

IA-04(04)

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-04(04)
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristics].

FedRAMP Parameters

Parameter ID NIST assignment FedRAMP value
ia-04.04_odp characteristics contractors; foreign nationals

Authenticator Management

IA-05

NIST SP 800-53 Revision 5.2.0

  • Official NIST control ID: IA-05
  • Catalog version: 5.2.0
  • OSCAL version: 1.2.2
  • Catalog last modified: May 11, 2026

Manage system authenticators by:

  • a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
  • b. Establishing initial authenticator content for any authenticators issued by the organization;
  • c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
  • e. Changing default authenticators prior to first use;
  • f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
  • g. Protecting authenticator content from unauthorized disclosure and modification;
  • h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
  • i. Changing authenticators for group or role accounts when membership to those accounts changes.

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3

IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

Comments