Framework Category
Identity Management, Authentication, and Access Control
Identity Management, Authentication, and Access Control ensures that only verified and authorized users, services, and devices can access systems and data.
It includes identity proofing, credential management, authentication, and strict enforcement of access policies based on least privilege and separation of duties—covering both digital and physical access.
Implementation Questions
PR.AA-01
Identities and credentials for authorized users, services, and hardware are managed by the organization
Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
This question assesses whether your organization has implemented a structured access management process that governs how users obtain new or additional system access. A formal process ensures that access is granted based on legitimate business needs, receives proper authorization, and maintains an audit trail of requests and approvals.
Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
A comprehensive cryptographic lifecycle management process ensures that digital certificates, encryption keys, and authentication credentials are properly issued, tracked, rotated, and revoked when necessary. This prevents unauthorized access due to compromised or expired credentials and maintains the integrity of encrypted communications and data.Organizations should maintain an inventory of all cryptographic assets, implement automated rotation schedules, establish secure key storage mechanisms, and have clear procedures for emergency revocation. Evidence could include a documented key management policy, certificate inventory reports, screenshots of a certificate management system, logs showing regular key rotation activities, or a process diagram showing the credential lifecycle workflow.
Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
Unique device identifiers are crucial for device authentication, inventory management, and security monitoring. These identifiers should be either based on immutable hardware characteristics (like MAC addresses, CPU IDs, or hardware serial numbers) or securely provisioned to the device during manufacturing or initialization (such as TPM-based identifiers or cryptographic certificates).As evidence, you could provide documentation of your device identification scheme, including the source of identifiers (hardware-based or provisioned), how they are assigned and tracked, and how these identifiers are protected from tampering or spoofing. This might include device enrollment procedures, inventory management system screenshots showing unique identifiers, or technical specifications for your device provisioning process.
Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
Physical labeling of hardware assets (such as servers, workstations, network devices, and peripherals) with unique identifiers ensures accurate tracking throughout their lifecycle and facilitates proper inventory management. This practice helps prevent unauthorized equipment from being connected to your network, simplifies asset management during audits, and enables efficient servicing and maintenance operations.
PR.AA-02
Identities are proofed and bound to credentials based on the context of interactions
Does your organization verify individuals' identities during enrollment using government-issued credentials?
This question assesses whether your organization validates the true identity of users during initial account creation or enrollment by requiring government-issued identification documents like passports, driver's licenses, or national ID cards. This verification process helps prevent identity fraud, account takeovers, and ensures only legitimate users gain access to your systems and services.
Does your organization issue unique credentials to each individual user and prohibit credential sharing?
Unique credentials ensure accountability and traceability of actions performed within systems, making it possible to identify who accessed what resources and when. Shared credentials create security vulnerabilities as they make it impossible to attribute actions to specific individuals, complicate access revocation when someone leaves, and often lead to weaker password practices.
PR.AA-03
Users, services, and hardware are authenticated
Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?
Multifactor authentication requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access even if passwords are compromised. Common MFA implementations include combinations of something you know (password), something you have (security token or mobile app), and something you are (biometric verification).
Does your organization enforce minimum strength requirements for passwords, PINs, and other authenticators?
Password strength policies are essential for preventing unauthorized access through brute force or dictionary attacks. Strong policies typically include requirements for minimum length, complexity (uppercase, lowercase, numbers, special characters), and restrictions on common or previously breached passwords.
Does your organization implement periodic reauthentication requirements for users, services, and hardware based on risk levels, particularly in zero trust architectures?
Periodic reauthentication helps verify that the entity accessing resources is still the authorized entity, reducing the risk of compromised credentials or unauthorized access. This control is especially important in zero trust architectures where continuous verification is a core principle. Examples include requiring users to re-enter credentials after a period of inactivity, services to refresh authentication tokens regularly, and hardware devices to periodically validate their identity through certificates or other mechanisms.
Has your organization implemented a process to ensure emergency access to critical safety systems for authorized personnel?
This question assesses whether your organization has established procedures for authorized personnel to access critical accounts during emergencies when normal access methods might be unavailable. For example, during a system outage, ransomware attack, or when primary administrators are unavailable, designated personnel should still be able to access systems necessary for safety operations.
PR.AA-04
Identity assertions are protected, conveyed, and verified
Does your organization implement controls to protect identity assertions used in single sign-on (SSO) systems?
Identity assertions contain authentication data and user attributes that are passed between systems during SSO processes. If these assertions are not properly protected, attackers could intercept, modify, or forge them to gain unauthorized access to multiple systems with a single compromise. Protection measures typically include encryption of assertions, digital signatures, proper token validation, secure transmission channels, and short token lifetimes.
Does your organization implement controls to protect identity assertions used in federated authentication systems?
Identity assertions contain sensitive authentication and user information that is exchanged between federated systems (such as SAML tokens, OAuth tokens, or JWT). These assertions need protection against interception, tampering, and replay attacks through measures like encryption, digital signatures, and secure transmission protocols. Proper protection prevents unauthorized access to systems and data through compromised identity information.
Has your organization implemented standards-based approaches for identity assertions across all contexts, including proper generation, protection, and verification methods?
This question assesses whether your organization follows industry standards (such as SAML, OAuth, OpenID Connect) for creating, protecting, and verifying identity assertions. These standards ensure that when a user's identity is asserted across systems or applications, the information is properly formatted, digitally signed or encrypted to prevent tampering, and verified before access is granted.
PR.AA-05
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Does your organization have a formal process to review and promptly revoke access privileges when employees change roles or leave the organization?
Regular review of access privileges ensures that individuals only have access to the systems and data necessary for their current role, reducing the risk of unauthorized access. When employees change roles or leave, outdated access privileges can create security vulnerabilities if not promptly revoked.
Does your authorization system consider contextual attributes such as geolocation, time of access, or device security posture when making access decisions?
Context-aware authorization enhances security by evaluating not just who is requesting access, but also the circumstances of the request. For example, your system might deny access to sensitive data when requested from an unusual location, outside business hours, or from a device that doesn't meet security requirements.
Has your organization implemented a least privilege access model that restricts user access and privileges to only what is necessary for their job functions?
Least privilege access control ensures users have only the minimum permissions needed to perform their job functions, reducing the potential attack surface and limiting the impact of compromised accounts. This approach is a core principle of zero trust architecture, where no user or system is inherently trusted, and verification is required for all access requests regardless of location or network.
Does your organization regularly review and validate that privileges for critical business functions maintain proper separation of duties?
Separation of duties ensures that no single individual has control over an entire critical process, reducing the risk of fraud, errors, and unauthorized activities. Regular reviews help identify when roles have accumulated excessive privileges over time or when organizational changes have created conflicts in duty separation.
PR.AA-06
Physical access to assets is managed, monitored, and enforced commensurate with risk
Does your organization implement physical security controls to monitor facilities and restrict unauthorized access?
Physical security controls are essential for protecting sensitive assets, data, and personnel from unauthorized physical access. These controls typically include security guards, surveillance cameras, access control systems (key cards, biometric scanners), alarm systems, and locked entrances/exits to create layers of protection around your facilities.
Has your organization implemented enhanced physical security controls for areas containing high-risk assets?
High-risk assets (such as critical servers, sensitive data storage, financial systems, or intellectual property) require additional layers of physical protection beyond standard security measures. These enhanced controls might include biometric access systems, mantrap entries, 24/7 security personnel, CCTV monitoring, motion sensors, or reinforced physical barriers.
Does your organization have a formal escort policy requiring all guests, vendors, and third parties to be accompanied by authorized personnel when accessing areas containing business-critical assets?
This control prevents unauthorized access to sensitive areas and reduces the risk of data breaches, theft, or sabotage by requiring continuous supervision of non-employees. Without proper escort procedures, visitors might inadvertently or deliberately access, damage, or compromise critical systems, infrastructure, or sensitive information.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
