IA-8(6)—Disassociability
>Control Description
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: ⚙organization-defined measures.
>Cross-Framework Mappings
>Supplemental Guidance
Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of IA-8(6) (Disassociability)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring IA-8(6)?
- •How frequently is the IA-8(6) policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures IA-8(6) requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce IA-8(6) requirements.
- •What automated tools, systems, or technologies are deployed to implement IA-8(6)?
- •How is IA-8(6) integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce IA-8(6) requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of IA-8(6)?
- •What audit logs, records, reports, or monitoring data validate IA-8(6) compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of IA-8(6) effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate IA-8(6) compliance?
Ask AI
Configure your API key to use AI features.