{"$id":"https://askmeidentity.com/resources/iam-compliance-crosswalk/data.json","name":"IAM Compliance Crosswalk","description":"Citable cross-framework mapping of identity & access management controls — NIST 800-53 r5.2.0 (2025), ISO 27001:2022 + Amendment 1 (2024), SOC 2 (TSC), HIPAA Security Rule (Dec 2024 NPRM pending), FFIEC IT Examination Handbook, and FedRAMP Moderate / High baselines. Free to cite under CC BY 4.0.","publisher":{"name":"askmeidentity","url":"https://askmeidentity.com"},"license":"CC-BY-4.0","licenseUrl":"https://creativecommons.org/licenses/by/4.0/","version":"2026.05.2","datePublished":"2026-05-01","dateModified":"2026-05-22","pageUrl":"https://askmeidentity.com/resources/iam-compliance-crosswalk/","frameworks":["NIST 800-53 r5","ISO 27001 / 27002","SOC 2 TSC","HIPAA Security Rule","FFIEC IT Examination Handbook","FedRAMP Moderate + High"],"families":{"iga":"Identity governance & lifecycle","access":"Access management & authentication","pam":"Privileged access","audit":"Audit & evidence","ciam":"Customer identity & federation"},"controls":[{"id":"iga-account-management","name":"Account management & lifecycle (JML)","description":"Provisioning, modification, disablement, and removal of user accounts driven by an authoritative HRIS / identity source.","family":"iga","mappings":{"nist80053":"AC-2, AC-2(1), AC-2(2), AC-2(3)","iso27001":"A.5.16, A.5.18","soc2":"CC6.1, CC6.2, CC6.3","hipaa":"§ 164.308(a)(3) — Workforce Security; § 164.308(a)(4) — Information Access Management","ffiec":"Information Security § II.C.7 — Authentication and Access Controls","fedramp":"Moderate + High: AC-2 (1)-(3)"},"engineeringNotes":"Best implemented as HRIS-triggered automation with documented exception policy. Manual ticket-driven JML satisfies most frameworks on paper but rarely closes the audit findings cleanly.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-iga-account-management"},{"id":"iga-cert-recurring","name":"Recurring access certification","description":"Periodic reviewer-led recertification of user access entitlements, scoped to risk-tier and regulated application boundary.","family":"iga","mappings":{"nist80053":"AC-2(7), AC-6(7)","iso27001":"A.5.16, A.5.18","soc2":"CC6.2, CC6.3","hipaa":"§ 164.308(a)(4) — Information Access Management","ffiec":"Information Security § II.C.13 — User Access Reviews","fedramp":"Moderate + High: AC-2(7)"},"engineeringNotes":"Quarterly + risk-tiered cadence beats annual sweep. Reviewer kits with context (last-login, entitlement diff, peer comparison) move the rubber-stamp rate down meaningfully.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-iga-cert-recurring"},{"id":"iga-separation-of-duties","name":"Separation of duties (SoD)","description":"Enforcement of incompatible role / entitlement combinations to prevent fraud, error, or abuse.","family":"iga","mappings":{"nist80053":"AC-5, AC-6(7)","iso27001":"A.5.3","soc2":"CC6.1, CC6.2","hipaa":"§ 164.308(a)(3) — Workforce Security (least privilege)","ffiec":"Information Security § II.C.7 — Separation of Duties","fedramp":"Moderate + High: AC-5"},"engineeringNotes":"SAP and ERP-anchored programs treat SoD as a first-class concern (Saviynt AAG / SailPoint SoD). Most SaaS-first programs need a layered policy on top of native role primitives.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-iga-separation-of-duties"},{"id":"access-mfa","name":"Multi-factor authentication","description":"Authentication requiring two or more factors for workforce access, with phishing-resistant factors required for privileged contexts.","family":"access","mappings":{"nist80053":"IA-2, IA-2(1), IA-2(2), IA-2(12)","iso27001":"A.5.17, A.8.5","soc2":"CC6.1, CC6.6","hipaa":"§ 164.308(a)(5)(ii)(D) — Password Management; § 164.312(a)(2)(i) — Unique User ID","ffiec":"Information Security § II.C.7 — Authentication and Access Controls","fedramp":"Moderate + High: IA-2(1), IA-2(2); High also requires IA-2(12)"},"engineeringNotes":"NIST and FedRAMP both push phishing-resistant factors (FIDO2 / smart card) for privileged access. Push-based MFA remains common but is increasingly insufficient under examiner expectations.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-access-mfa"},{"id":"access-session-control","name":"Session management & timeout","description":"Idle timeout, absolute session lifetime, and re-authentication policies for sensitive contexts.","family":"access","mappings":{"nist80053":"AC-12, AC-11","iso27001":"A.8.5","soc2":"CC6.1","hipaa":"§ 164.312(a)(2)(iii) — Automatic Logoff","ffiec":"Information Security § II.C.7","fedramp":"Moderate + High: AC-12"},"engineeringNotes":"Conditional Access (Entra) and Adaptive Access (Okta) both meet this when policies are documented. Anonymous \"session lasts forever\" cookies are an audit finding waiting to happen.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-access-session-control"},{"id":"access-least-privilege","name":"Least privilege","description":"Access scoped to the minimum required to perform a job function, with time-bound elevation for exception cases.","family":"access","mappings":{"nist80053":"AC-6, AC-6(1), AC-6(5), AC-6(10)","iso27001":"A.5.15, A.8.2","soc2":"CC6.1, CC6.3","hipaa":"§ 164.308(a)(4) — Access Authorization","ffiec":"Information Security § II.C.7","fedramp":"Moderate + High: AC-6(1), AC-6(5), AC-6(10)"},"lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-access-least-privilege"},{"id":"pam-credential-vault","name":"Privileged credential vaulting","description":"Privileged accounts (domain admin, root, database, cloud) held in a vault with checkout/checkin and rotation policies.","family":"pam","mappings":{"nist80053":"AC-2(7), IA-5, SC-12","iso27001":"A.8.2, A.8.5","soc2":"CC6.1, CC6.6","hipaa":"§ 164.308(a)(3) — Workforce Security; § 164.312(d) — Person or Entity Authentication","ffiec":"Information Security § II.C.7 — Privileged Access","fedramp":"Moderate + High: AC-6(5), IA-5"},"engineeringNotes":"CyberArk, BeyondTrust, Delinea, and HashiCorp Vault all satisfy this. Auditors look for evidence of rotation, not just vault existence.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-pam-credential-vault"},{"id":"pam-session-monitoring","name":"Privileged session monitoring","description":"Recording, monitoring, and selective replay of privileged sessions on sensitive systems.","family":"pam","mappings":{"nist80053":"AC-2(12), AU-2, AU-12","iso27001":"A.8.15","soc2":"CC6.8, CC7.2","hipaa":"§ 164.312(b) — Audit Controls","ffiec":"Information Security § II.C.7; Audit § III.D — Privileged Session Logging","fedramp":"Moderate + High: AU-2, AU-12; High: AC-2(12)"},"engineeringNotes":"HIPAA explicitly elevates session monitoring on ePHI-adjacent systems. PHI handler workstation sessions are increasingly under-recorded under recent HHS-OCR enforcement.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-pam-session-monitoring"},{"id":"pam-just-in-time","name":"Just-in-time elevation","description":"Privileged access granted on request for a bounded time window, with elimination of standing privileged accounts.","family":"pam","mappings":{"nist80053":"AC-2(6), AC-6(5)","iso27001":"A.5.15","soc2":"CC6.1, CC6.3","hipaa":"§ 164.308(a)(4) — Access Authorization","ffiec":"Information Security § II.C.7","fedramp":"Moderate + High: AC-6(5)"},"engineeringNotes":"JIT is not literally required by any framework name, but it is the strongest way to satisfy least-privilege expectations under all of them. Standing privilege is the single most-cited finding category.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-pam-just-in-time"},{"id":"audit-event-logging","name":"Identity event logging","description":"Centralized logging of authentication events, access modifications, and privileged actions with tamper-evident retention.","family":"audit","mappings":{"nist80053":"AU-2, AU-3, AU-9, AU-12","iso27001":"A.8.15, A.8.17","soc2":"CC7.2","hipaa":"§ 164.312(b) — Audit Controls","ffiec":"Audit § II — Logging and Monitoring","fedramp":"Moderate + High: AU-2, AU-3, AU-9, AU-12"},"lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-audit-event-logging"},{"id":"audit-log-retention","name":"Log retention","description":"Retention period for identity-related logs sufficient for the regulator and the incident-response cycle.","family":"audit","mappings":{"nist80053":"AU-11","iso27001":"A.8.15","soc2":"CC7.2","hipaa":"§ 164.316(b)(2)(i) — six year retention","ffiec":"Audit § III.B","fedramp":"Moderate + High: AU-11 (1 year online, 3 years offline)"},"engineeringNotes":"HIPAA mandates six-year retention; FedRAMP requires one year online plus three offline. SOC 2 leaves duration to entity policy — but auditors typically expect 12+ months.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-audit-log-retention"},{"id":"audit-evidence-program","name":"Evidence collection program","description":"Repeatable process for producing audit-ready evidence on demand for in-scope IAM controls.","family":"audit","mappings":{"nist80053":"CA-2, CA-7","iso27001":"Clause 9.2, A.5.35","soc2":"CC4.1, CC4.2","hipaa":"§ 164.308(a)(8) — Evaluation","ffiec":"Audit § II — Audit Program","fedramp":"ConMon: CA-7, monthly evidence cycle"},"engineeringNotes":"Evidence-as-code (generated continuously) reduces audit cost meaningfully and is becoming the expected posture for FedRAMP-authorized programs.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-audit-evidence-program"},{"id":"ciam-customer-mfa","name":"Customer-side MFA","description":"Multi-factor authentication offered (and increasingly required) for end-customer accounts on sensitive surfaces.","family":"ciam","mappings":{"nist80053":"IA-2, IA-8","iso27001":"A.5.17","soc2":"CC6.1, CC6.6","hipaa":"§ 164.308(a)(5)(ii)(D) — when patient portals access ePHI","ffiec":"Authentication in an Electronic Banking Environment (2021 supplement)","fedramp":"IA-8 for non-organizational users on Moderate + High"},"engineeringNotes":"NYDFS Part 500 + the 2021 FFIEC authentication guidance both expect risk-based MFA on consumer financial surfaces. Passkeys are increasingly the strongest practical answer.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-ciam-customer-mfa"},{"id":"ciam-account-recovery","name":"Account recovery & step-up","description":"Customer account recovery flows that do not silently weaken the primary authentication posture.","family":"ciam","mappings":{"nist80053":"IA-5(1)(f)","iso27001":"A.5.17","soc2":"CC6.6","hipaa":"§ 164.308(a)(5)(ii)(D)","ffiec":"2021 supplement — Layered security","fedramp":"IA-5(1)"},"engineeringNotes":"Email-only recovery on a passkey-protected account is a step-down attack waiting to happen. Document the recovery posture explicitly in the SSP / control narrative.","lastReviewed":"2026-05-22","anchor":"https://askmeidentity.com/resources/iam-compliance-crosswalk/#control-ciam-account-recovery"}],"counts":{"total":14}}