NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-4(1)Prohibit Account Identifiers as Public Identifiers

Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Prohibiting account identifiers as public identifiers applies to any publicly disclosed account identifier used for communication such as, electronic mail and instant messaging. Prohibiting the use of systems account identifiers that are the same as some public identifier, such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers without the implementation of other supporting controls only complicates guessing of identifiers. Additional protections are required for authenticators and credentials to protect the account.

Practitioner Notes

This enhancement prohibits using system account identifiers as public identifiers — your usernames should not be easily guessable or publicly discoverable.

Example 1: Do not use employee email addresses as their primary Active Directory login username if those emails are publicly listed on your company website.

Example 2: Use employee ID numbers or non-obvious identifiers for system accounts rather than names or email addresses that could be harvested from LinkedIn or your website.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts