NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(16)In-person or Trusted External Party Authenticator Issuance

Require that the issuance of organization-defined parameter be conducted organization-defined parameter before organization-defined parameter with authorization by organization-defined parameter.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process.

Practitioner Notes

This enhancement requires in-person or trusted external party involvement when issuing authenticators — someone trusted must physically verify the recipient's identity.

Example 1: Require new employees to receive their initial password and MFA token in person from the IT help desk after the HR department confirms their identity.

Example 2: For remote employees, use a bonded courier service to deliver hardware tokens and initial credentials, with signature verification upon delivery.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts