IA-4 Identifier Management
Control
Manage system identifiers by:
a.
Receiving authorization from [at a minimum, the ISSO (or similar role within the organization)] to assign an individual, group, role, service, or device identifier;
b.
Selecting an identifier that identifies an individual, group, role, service, or device;
c.
Assigning the identifier to the intended individual, group, role, service, or device; and
d.
Preventing reuse of identifiers for [at least two (2) years].
Discussion
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.
FedRAMP-Defined Assignment / Selection Parameters
- IA-4 (a) [at a minimum, the ISSO (or similar role within the organization)] - personnel or roles from whom authorization must be received to assign an identifier are defined;
- IA-4 (d) [at least two (2) years] - a time period for preventing reuse of identifiers is defined;