Framework Category

Identity Management, Authentication, and Access Control

Identity Management, Authentication, and Access Control ensures that only verified and authorized users, services, and devices can access systems and data.

It includes identity proofing, credential management, authentication, and strict enforcement of access policies based on least privilege and separation of duties—covering both digital and physical access.

Implementation Questions

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?

Disciplined access provisioning is the focus, specifically whether you have a formal process to request, track, review, and fulfill access with approval from the relevant system or data owners. A formal process ensures that access is granted based on legitimate business needs, receives proper authorization, and maintains an audit trail of requests and approvals.

Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?

A comprehensive cryptographic lifecycle management process ensures that digital certificates, encryption keys, and authentication credentials are properly issued, tracked, rotated, and revoked when necessary.

Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?

Unique device identifiers are crucial for device authentication, inventory management, and security monitoring.

Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?

Physical labeling of hardware assets (such as servers, workstations, network devices, and peripherals) with unique identifiers ensures accurate tracking throughout their lifecycle and facilitates proper inventory management. This practice helps prevent unauthorized equipment from being connected to your network, simplifies asset management during audits, and enables efficient servicing and maintenance operations.

PR.AA-03

Users, services, and hardware are authenticated

Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?

Multifactor authentication requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access even if passwords are compromised. Common MFA implementations include combinations of something you know (password), something you have (security token or mobile app), and something you are (biometric verification).

Does your organization enforce minimum strength requirements for passwords, PINs, and other authenticators?

Password strength policies are essential for preventing unauthorized access through brute force or dictionary attacks. Strong policies typically include requirements for minimum length, complexity (uppercase, lowercase, numbers, special characters), and restrictions on common or previously breached passwords.

Does your organization implement periodic reauthentication requirements for users, services, and hardware based on risk levels, particularly in zero trust architectures?

Periodic reauthentication helps verify that the entity accessing resources is still the authorized entity, reducing the risk of compromised credentials or unauthorized access. This control is especially important in zero trust architectures where continuous verification is a core principle.

Has your organization implemented a process to ensure emergency access to critical safety systems for authorized personnel?

Emergency access readiness is under review here, covering whether you have a process that lets authorized personnel reach critical safety systems when normal access methods fail. For example, during a system outage, ransomware attack, or when primary administrators are unavailable, designated personnel should still be able to access systems necessary for safety operations.

PR.AA-04

Identity assertions are protected, conveyed, and verified

Does your organization implement controls to protect identity assertions used in single sign-on (SSO) systems?

Identity assertions contain authentication data and user attributes that are passed between systems during SSO processes. If these assertions are not properly protected, attackers could intercept, modify, or forge them to gain unauthorized access to multiple systems with a single compromise.

Does your organization implement controls to protect identity assertions used in federated authentication systems?

Identity assertions contain sensitive authentication and user information that is exchanged between federated systems (such as SAML tokens, OAuth tokens, or JWT). These assertions need protection against interception, tampering, and replay attacks through measures like encryption, digital signatures, and secure transmission protocols. Proper protection prevents unauthorized access to systems and data through compromised identity information.

Has your organization implemented standards-based approaches for identity assertions across all contexts, including proper generation, protection, and verification methods?

Standards-based identity assertions are the focus, namely whether you generate, protect, and verify assertions using recognized standards across every context. These standards ensure that when a user's identity is asserted across systems or applications, the information is properly formatted, digitally signed or encrypted to prevent tampering, and verified before access is granted.

PR.AA-05

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

Does your organization have a formal process to review and promptly revoke access privileges when employees change roles or leave the organization?

Regular review of access privileges ensures that individuals only have access to the systems and data necessary for their current role, reducing the risk of unauthorized access. When employees change roles or leave, outdated access privileges can create security vulnerabilities if not promptly revoked.

Does your authorization system consider contextual attributes such as geolocation, time of access, or device security posture when making access decisions?

Context-aware authorization enhances security by evaluating not just who is requesting access, but also the circumstances of the request. For example, your system might deny access to sensitive data when requested from an unusual location, outside business hours, or from a device that doesn't meet security requirements.

Has your organization implemented a least privilege access model that restricts user access and privileges to only what is necessary for their job functions?

Least privilege access control ensures users have only the minimum permissions needed to perform their job functions, reducing the potential attack surface and limiting the impact of compromised accounts. This approach is a core principle of zero trust architecture, where no user or system is inherently trusted, and verification is required for all access requests regardless of location or network.

Does your organization regularly review and validate that privileges for critical business functions maintain proper separation of duties?

Separation of duties ensures that no single individual has control over an entire critical process, reducing the risk of fraud, errors, and unauthorized activities. Regular reviews help identify when roles have accumulated excessive privileges over time or when organizational changes have created conflicts in duty separation.

PR.AA-06

Physical access to assets is managed, monitored, and enforced commensurate with risk

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron