IAM frameworks compared — the side-by-side.

NIST 800-53 Rev 5 — Security and Privacy Controls

Who it applies to

US federal information systems, FedRAMP-authorized cloud, state government, defense industrial base (DIB).

Identity focus

Most granular identity-control catalog in widespread use. AC (Access Control) and IA (Identification and Authentication) families together cover ~50 controls dedicated to identity.

Key identity controls

• AC-2 Account Management
• AC-3 Access Enforcement
• AC-6 Least Privilege
• AC-17 Remote Access
• IA-2 Identification and Authentication (Organizational Users)
• IA-5 Authenticator Management
• IA-8 Identification and Authentication (Non-Organizational Users)

Enforced by

FedRAMP, FISMA, CMMC 2.0, NYDFS Part 500 (references NIST), most US state-level frameworks

Cost of failure

FedRAMP authorization revocation; FISMA non-compliance reporting to OMB; CMMC contract ineligibility

ISO/IEC 27001:2022 — Information Security Management

Who it applies to

Global. Often required by enterprise customers in EU, UK, APAC. Voluntary in US but routinely required by procurement.

Identity focus

Less prescriptive than NIST — defines control objectives, not specific implementations. Annex A 5.15-5.18 cover access control; 8.5-8.7 cover identity management.

Key identity controls

• A.5.15 Access Control Policy
• A.5.16 Identity Management
• A.5.17 Authentication Information
• A.5.18 Access Rights
• A.8.5 Secure Authentication

Enforced by

Customer procurement, voluntary certification audited by accredited certification bodies

Cost of failure

Loss of certification; loss of customer contracts that require it as a procurement gate

AICPA SOC 2 Type II — Trust Services Criteria

Who it applies to

SaaS / cloud-service providers. Effectively mandatory for B2B SaaS selling to mid-market and above.

Identity focus

Common Criteria CC6 (Logical and Physical Access Controls) is the identity-heavy section. Less prescriptive than NIST; auditor latitude is significant.

Key identity controls

• CC6.1 Logical access controls
• CC6.2 Registration + authorization of users
• CC6.3 Modify + remove access
• CC6.6 Logical access to system components
• CC6.8 Authentication credentials

Enforced by

AICPA-licensed CPA firms; customer due-diligence cycles

Cost of failure

Customer contract loss; sales cycles stalling at security review

FFIEC IT Examination Handbook — Information Security + Authentication booklets

Who it applies to

US banks + credit unions regulated by FFIEC member agencies (FRB, FDIC, OCC, NCUA, CFPB).

Identity focus

Authentication booklet (2021 update) is the heart of FFIEC's identity guidance. Strong customer authentication, layered security, third-party access risk.

Key identity controls

• Strong customer authentication (multi-factor for high-risk transactions)
• Privileged user authentication
• Third-party access management
• Layered security for online banking

Enforced by

Quarterly examinations by FFIEC member agencies

Cost of failure

Matters Requiring Attention (MRA), Matters Requiring Immediate Attention (MRIA), enforcement actions

NYDFS 23 NYCRR Part 500 — Cybersecurity Regulation

Who it applies to

Financial services entities licensed in New York (banks, insurance, mortgage brokers, money transmitters).

Identity focus

Most prescriptive state-level identity regulation in the US. §500.7 Access Privileges + §500.12 Multi-Factor Authentication explicitly call out IAM controls.

Key identity controls

• §500.7 Limit access privileges + periodic review
• §500.12 Multi-factor authentication for any external access
• §500.14 Monitoring + training
• §500.16 Incident response with identity scope
• §500.17 Notification within 72 hours of cybersecurity event

Enforced by

NYDFS examination + investigation

Cost of failure

Civil monetary penalty (Equifax = $10M+); covenant violations; license revocation

Federal Risk and Authorization Management Program

Who it applies to

Cloud service providers serving US federal agencies.

Identity focus

Inherits NIST 800-53 controls at the chosen impact level (Low / Moderate / High). Identity controls = NIST AC + IA families fully inherited.

Key identity controls

• Inherits NIST 800-53 AC + IA families
• Plus phishing-resistant MFA under OMB M-22-09
• Plus continuous monitoring per FedRAMP ConMon requirements

Enforced by

JAB or agency authorization; annual 3PAO assessment

Cost of failure

Authorization revocation; federal contract ineligibility

EU Digital Operational Resilience Act

Who it applies to

EU financial entities + their ICT third-party providers (extraterritorial reach).

Identity focus

Identity is one of the ICT risk management requirements. RTS on ICT risk management framework includes access management + identity-related threat detection.

Key identity controls

• Article 5 ICT risk management framework
• Article 9 Identification + classification of ICT assets
• Article 10 Detection of anomalous activities (identity-layer included)
• Article 30 ICT third-party risk management

Enforced by

European Supervisory Authorities (ESMA, EIOPA, EBA), national competent authorities

Cost of failure

Up to 2% of total annual worldwide turnover; restrictions on business activities

HIPAA Administrative Simplification Security Rule

Who it applies to

US healthcare covered entities and business associates handling ePHI.

Identity focus

§164.308(a)(4) Information Access Management + §164.312(a)(1) Access Control directly target identity. 2024 NPRM significantly tightens MFA + encryption requirements.

Key identity controls

• §164.308(a)(4) Information access management
• §164.308(a)(5) Security awareness + training
• §164.312(a)(1) Access control
• §164.312(b) Audit controls
• §164.312(d) Person/entity authentication

Enforced by

HHS Office for Civil Rights (OCR)

Cost of failure

Up to $1.9M per violation category per year; corrective action plans

Payment Card Industry Data Security Standard 4.0

Who it applies to

Anyone handling cardholder data — merchants, processors, gateways, service providers.

Identity focus

Requirements 7 (least privilege) + 8 (identity and authentication) are the identity-specific sections. v4.0 (effective March 2025) significantly raised the MFA + password bar.

Key identity controls

• Req 7 Restrict access by business need-to-know
• Req 8.3 MFA for all administrative access
• Req 8.4 MFA for any non-console admin into CDE
• Req 8.6 MFA for any access to cardholder data
• Req 10 Logging + monitoring (incl. identity events)

Enforced by

Acquiring banks + qualified security assessors (QSAs)

Cost of failure

Fines from acquiring banks; loss of card-brand processing; SAQ failure

EU General Data Protection Regulation

Who it applies to

Anyone processing personal data of EU residents (extraterritorial reach).

Identity focus

Not an identity framework per se — but Article 5(1)(f) integrity + confidentiality, Article 25 data protection by design, and Article 32 security of processing all imply identity controls.

Key identity controls

• Article 5(1)(f) Integrity + confidentiality
• Article 25 Data protection by design + default
• Article 32 Security of processing
• Recital 75 Identity controls as risk mitigation

Enforced by

EU data protection authorities (CNIL, BfDI, Garante, etc.)

Cost of failure

Up to €20M or 4% of annual global turnover, whichever is higher