NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.5 — Identifier Management
Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier. Select and assign an identifier that identifies an individual, group, role, service, or device. Prevent the reuse of identifiers for {{ insert: param, A.03.05.05.ODP.01 }}. Manage individual identifiers by uniquely identifying each individual as {{ insert: param, A.03.05.05.ODP.02 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- authorization is received from organizational personnel or roles to assign an individual, group, role, service, or device identifier.
- an identifier that identifies an individual, group, role, service, or device is selected.
- an identifier that identifies an individual, group, role, service, or device is assigned.
- the reuse of identifiers for {{ insert: param, A.03.05.05.ODP.01 }} is prevented.
- individual identifiers are managed by uniquely identifying each individual as {{ insert: param, A.03.05.05.ODP.02 }}.
Practitioner Notes
Identifier management is about how you create, assign, and retire usernames and account IDs. Someone with authority needs to approve each new account. You should never reuse an old employee's username for a new person — that creates confusion in audit logs and potential access bleed.
Example 1: Create a formal account provisioning process in your IT ticketing system. Each new account request requires a ticket with supervisor approval before IT creates the account. In Active Directory, enforce a naming convention (e.g., first.last) and use the Description field to note the approving manager and ticket number. When employees depart, disable (do not delete) accounts and move them to a "Disabled Users" OU.
Example 2: In the Entra Admin Center, configure the Identity Governance > Access Reviews feature to automatically prompt managers to review their team members' access quarterly. For service accounts, use Managed Identities where possible (under Entra ID > Managed Identities) so credentials are automatically rotated and the identity lifecycle is handled by the platform.