NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(5)Individual Authentication with Group Authentication

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.

Practitioner Notes

This enhancement requires individual authentication when using a shared or group account — even if an account is shared, each user must first prove their individual identity.

Example 1: Require administrators to log in with their personal Active Directory account before accessing a shared administrative account through CyberArk session manager.

Example 2: For shared service accounts used in applications, implement just-in-time access through Azure PIM where each person requesting access is individually authenticated and logged.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts