Does your organization issue unique credentials to each individual user and prohibit credential sharing?
Explanation
Unique credentials ensure accountability and traceability of actions performed within systems, making it possible to identify who accessed what resources and when. Shared credentials create security vulnerabilities as they make it impossible to attribute actions to specific individuals, complicate access revocation when someone leaves, and often lead to weaker password practices.
Evidence could include a documented policy prohibiting credential sharing, screenshots of user management systems showing individual accounts for each user, audit logs showing unique user IDs for system access, or documentation of technical controls that prevent credential sharing (such as multi-factor authentication tied to individual devices).
Implementation Example
Issue a different credential for each person (i.e., no credential sharing)
ID: PR.AA-02.199
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identities are proofed and bound to credentials based on the context of interactions
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?

