NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-12(5)Address Confirmation

Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

Practitioner Notes

This enhancement requires address confirmation as part of identity proofing — verifying that the person actually resides at the address they claim.

Example 1: Send an enrollment confirmation code via physical mail to the applicant's claimed address, requiring them to enter the code online to complete registration.

Example 2: Verify the applicant's address against USPS address validation databases and cross-reference with their submitted utility bills or bank statements.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts