NIST 800-53 REV 5 • ACCESS CONTROL
AC-4(17) — Domain Authentication
Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer.
Supplemental Guidance
Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.
Practitioner Notes
Domain authentication ensures that when data flows between security domains, both ends verify each other's identity. This prevents an impersonator from receiving sensitive data.
Example 1: For site-to-site VPN connections, use certificate-based authentication (IKEv2 with X.509 certificates) rather than pre-shared keys. Issue certificates from your organization's PKI and configure your VPN appliance to validate the partner's certificate against the trusted CA chain.
Example 2: For API integrations between systems in different domains, implement mutual TLS (mTLS). Both the client and server present certificates, and both validate each other's identity. Configure this in your API gateway so that unauthenticated domain requests are rejected before reaching your application.