NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-8Identification and Authentication (Non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

Practitioner Notes

This control addresses identifying and authenticating non-organizational users — people who are not your employees but need access to your systems, like contractors, partners, or the public.

Example 1: Use Azure AD B2B guest accounts to provide external partners with authenticated access to specific SharePoint sites and Teams channels without giving them full employee accounts.

Example 2: For public-facing applications, implement Login.gov or a commercial identity provider for customer authentication rather than building your own login system.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts