Authority
NIST (National Institute of Standards & Technology)
Effective date
Rev. 5 published September 2020; current minor release Rev. 5.2
Jurisdiction
United States federal + voluntary adoption worldwide
Evidence cadence
Continuous monitoring (per CA-7) at FedRAMP impact levels
Scope
Federal information systems + federal contractors handling federal data + organizations pursuing FedRAMP authorization + any non-federal system inheriting the catalog as a baseline.
Account Management
What it requires: Identify and define account types; establish conditions for group + role membership; require approval before account creation; monitor account use.
Evidence example
JML automation log showing approval workflow + provisioning event + termination removal. Quarterly access certification campaign output.
Account Management — Privileged User Accounts
What it requires: Establish and administer privileged accounts in accordance with a role-based access scheme. Monitor privileged role assignments.
Evidence example
PAM vault inventory + JIT elevation logs + quarterly privileged-account review with sign-off.
Least Privilege
What it requires: Employ the principle of least privilege; only grant authorized access necessary to accomplish assigned tasks.
Evidence example
Role mining report + SoD violation list + certification cycle showing right-sizing of access.
Least Privilege — Log Use of Privileged Functions
What it requires: Audit the execution of privileged functions.
Evidence example
Session recordings + privileged-command audit log + SIEM rule that alerts on anomalous privileged use.
Identification & Authentication (Organizational Users)
What it requires: Uniquely identify and authenticate organizational users; require MFA for privileged accounts (IA-2(1)) and for non-privileged accounts to non-public systems (IA-2(2)).
Evidence example
IdP Conditional Access policy export + sign-in logs showing MFA enforcement + screenshot of policy in effect.
Identification & Authentication — Remote Access
What it requires: Implement multi-factor authentication for remote access to privileged and non-privileged accounts.
Evidence example
VPN / ZTNA configuration showing MFA enforcement on remote sessions + log sample.
Identification & Authentication — Acceptance of PIV Credentials
What it requires: Accept and electronically verify PIV credentials.
Evidence example
IdP integration with PIV / smart-card authentication + test login showing CBA succeeds.
Authenticator Management
What it requires: Manage authenticators — verify identity before issuance, establish administrative procedures, change defaults, protect content.
Evidence example
Password policy + rotation log + service-account credential inventory in PAM.
Identification & Authentication (Non-Organizational Users)
What it requires: Uniquely identify and authenticate non-organizational users (B2B partners, customers).
Evidence example
B2B federation configuration + customer IdP allowlist + CIAM signup-flow documentation.
Identity Proofing
What it requires: Process for identity-proofing users prior to receiving access. Aligned to NIST 800-63 Identity Assurance Level (IAL).
Evidence example
Workforce onboarding workflow showing government-ID verification + HRIS attestation.
Event Logging
What it requires: Identify the types of events the system is capable of logging; coordinate event logging with other organizational entities.
Evidence example
IdP + PAM + SIEM event-source inventory + retention configuration.
Audit Record Review, Analysis, and Reporting
What it requires: Review and analyze audit records for indications of inappropriate or unusual activity.
Evidence example
Identity Threat Detection (ITDR) rules + investigation runbook + monthly review log.
Protection of Audit Information — Privileged Users
What it requires: Authorize access to management of audit logging only to a subset of privileged users.
Evidence example
SIEM access roles + segregation showing IAM administrators cannot modify their own audit logs.
NIST 800-53 is the master control catalog for US federal information security. FISMA (the law) requires federal agencies to implement these controls. FedRAMP is the program that lets cloud providers serve federal customers — built on a tailored subset of 800-53. CMMC for defense contractors aligns Levels 1-3 to 800-53 + 800-171 subsets. Most US federal compliance maps back to 800-53.
Controls are named by family + number. AC-2 is the second control in the AC (Access Control) family. AC-2(7) is enhancement 7 of AC-2 — additional requirements applied at higher impact levels. Enhancements stack: a FedRAMP High system inheriting AC-2 actually implements AC-2 + AC-2(1) + AC-2(2) + ... up through AC-2(13) depending on the baseline tailoring.
Three families dominate IAM evidence collection:
Auditors want continuous evidence, not point-in-time screenshots. For IAM controls specifically, the bar is:
Loss of Authority to Operate (ATO) for federal systems → contract loss. FedRAMP authorization withdrawal for cloud providers → loss of federal customer base. No direct civil penalties, but downstream contract value is significant.
Continuous monitoring (per CA-7) at FedRAMP impact levels. Annual + ad-hoc assessments. Evidence must cover the full observation window — annual reauthorization requires demonstrated continuous control operation.