NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-4 — Identifier Management
Manage system identifiers by: Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, group, role, service, or device; Assigning the identifier to the intended individual, group, role, service, or device; and Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.
Supplemental Guidance
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.
Practitioner Notes
Identifier management means having a formal process for assigning, managing, and retiring user IDs, device IDs, and other identifiers. Every identifier should be unique and traceable to a real person or device.
Example 1: Establish naming conventions in Active Directory (e.g., first.last for users, SVC-appname for service accounts) and prohibit reuse of identifiers for at least two years after deactivation.
Example 2: Integrate your HR system with Azure AD using automated provisioning (SCIM) so that user identifiers are created when employees are hired and disabled when they depart.