IAC — Identification & Authentication
112 controls in the Identification & Authentication domain
IAC-01Identity & Access Management (IAM)
IAC-01.1Retain Access Records
IAC-01.2Authenticate, Authorize and Audit (AAA)
IAC-01.3User & Service Account Inventories
IAC-02Identification & Authentication for Organizational Users
IAC-02.1Group Authentication
IAC-02.2Replay-Resistant Authentication
IAC-02.3Acceptance of PIV Credentials
IAC-02.4Out-of-Band Authentication (OOBA)
IAC-03Identification & Authentication for Non-Organizational Users
IAC-03.1Acceptance of PIV Credentials from Other Organizations
IAC-03.2Acceptance of Third-Party Credentials
IAC-03.3Use of FICAM-Issued Profiles
IAC-03.4Disassociability
IAC-03.5Acceptance of External Authenticators
IAC-04Identification & Authentication for Devices
IAC-04.1Device Attestation
IAC-04.2Device Authorization Enforcement
IAC-05Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS)
IAC-05.1Sharing Identification & Authentication Information
IAC-05.2Privileged Access by Non-Organizational Users
IAC-06Multi-Factor Authentication (MFA)
IAC-06.1Network Access to Privileged Accounts
IAC-06.2Network Access to Non-Privileged Accounts
IAC-06.3Local Access to Privileged Accounts
IAC-06.4Out-of-Band Multi-Factor Authentication
IAC-06.5Alternative Multi-Factor Authentication
IAC-07User Provisioning & De-Provisioning
IAC-07.1Change of Roles & Duties
IAC-07.2Termination of Employment
IAC-08Role-Based Access Control (RBAC)
IAC-09Identifier Management (User Names)
IAC-09.1User Identity (ID) Management
IAC-09.2Identity User Status
IAC-09.3Dynamic Management
IAC-09.4Cross-Organization Management
IAC-09.5Privileged Account Identifiers
IAC-09.6Pairwise Pseudonymous Identifiers (PPID)
IAC-10Authenticator Management
IAC-10.1Password-Based Authentication
IAC-10.2PKI-Based Authentication
IAC-10.3In-Person or Trusted Third-Party Registration
IAC-10.4Automated Support For Password Strength
IAC-10.5Protection of Authenticators
IAC-10.6No Embedded Unencrypted Static Authenticators
IAC-10.7Hardware Token-Based Authentication
IAC-10.8Default Authenticators
IAC-10.9Multiple System Accounts
IAC-10.10Expiration of Cached Authenticators
IAC-10.11Password Managers
IAC-10.12Biometric Authentication
IAC-10.13Events Requiring Authenticator Change
IAC-10.14Passkeys
IAC-11Authenticator Feedback
IAC-12Cryptographic Module Authentication
IAC-12.1Hardware Security Modules (HSM)
IAC-13Adaptive Identification & Authentication
IAC-13.1Single Sign-On (SSO) Transparent Authentication
IAC-13.2Federated Credential Management
IAC-13.3Continuous Authentication
IAC-14Re-Authentication
IAC-15Account Management
IAC-15.1Automated System Account Management (Directory Services)
IAC-15.2Removal of Temporary / Emergency Accounts
IAC-15.3Disable Inactive Accounts
IAC-15.4Automated Audit Actions
IAC-15.5Restrictions on Shared Groups / Accounts
IAC-15.6Account Disabling for High Risk Individuals
IAC-15.7System Account Reviews
IAC-15.8Usage Conditions
IAC-15.9Emergency Accounts
IAC-16Privileged Account Management (PAM)
IAC-16.1Privileged Account Inventories
IAC-16.2Privileged Account Separation
IAC-16.3Privileged Command Execution
IAC-16.4Dedicated Privileged Account
IAC-17Periodic Review of Account Privileges
IAC-18User Responsibilities for Account Management
IAC-19Credential Sharing
IAC-20Access Enforcement
IAC-20.1Access To Sensitive / Regulated Data
IAC-20.2Database Access
IAC-20.3Use of Privileged Utility Programs
IAC-20.4Dedicated Administrative Machines
IAC-20.5Dual Authorization for Privileged Commands
IAC-20.6Revocation of Access Authorizations
IAC-20.7Authorized System Accounts
IAC-21Least Privilege
IAC-21.1Authorize Access to Security Functions
IAC-21.2Non-Privileged Access for Non-Security Functions
IAC-21.3Management Approval For Privileged Accounts
IAC-21.4Auditing Use of Privileged Functions
IAC-21.5Prohibit Non-Privileged Users from Executing Privileged Functions
IAC-21.6Network Access to Privileged Commands
IAC-21.7Privilege Levels for Code Execution
IAC-22Account Lockout
IAC-23Concurrent Session Control
IAC-24Session Lock
IAC-24.1Pattern-Hiding Displays
IAC-25Session Termination
IAC-25.1User-Initiated Logouts / Message Displays
IAC-26Permitted Actions Without Identification or Authorization
IAC-27Reference Monitor
IAC-28Identity Proofing (Identity Verification)
IAC-28.1Management Approval For New or Changed Accounts
IAC-28.2Identity Evidence
IAC-28.3Identity Evidence Validation & Verification
IAC-28.4In-Person Validation & Verification
IAC-28.5Address Confirmation
IAC-29Attribute-Based Access Control (ABAC)
IAC-29.1Real-Time Access Decisions
IAC-29.2Access Profile Rules