Has your organization implemented standards-based approaches for identity assertions across all contexts, including proper generation, protection, and verification methods?
Explanation
Standards-based identity assertions are the focus, namely whether you generate, protect, and verify assertions using recognized standards across every context. These standards ensure that when a user's identity is asserted across systems or applications, the information is properly formatted, digitally signed or encrypted to prevent tampering, and verified before access is granted.
Evidence could include documentation of your identity management architecture showing which standards are implemented, configuration guides for identity providers and service providers, code samples showing proper implementation of digital signatures or encryption for assertions, and logs demonstrating proper validation of identity assertions in production systems.
Implementation Example
Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions
ID: PR.AA-04.206
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identity assertions are protected, conveyed, and verified
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

