HOME

IA-4

IA-4 H M L
Description

The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

FedRAMP
  • H IA-4(a) [at a minimum, the ISSO (or similar role within the organization)] IA-4 (d) [at least two (2) years] IA-4 (e) [thirty-five (35) days] (See additional requirements and guidance.)
  • M IA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)
  • L IA-4 (d) [at least two years] IA-4 (e) [ninety days for user identifiers] (See additional requirements and guidance)
DISA Cloud Computing SRG

a. ISSM or ISSO
d. 1 year for user identifiers (DoD is not going to specify value for device identifier).
e. 35 days

Source:
DoD RMF TAG

Supplemental Guidance

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

Further Guidance

IA-4 (e) Requirement: The service provider defines the time period of inactivity for device identifiers.
Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

Related Controls