NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-9(2)Transmission of Decisions

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement was incorporated into IA-9. It previously addressed transmission of service authentication decisions to downstream services.

Example 1: Use token propagation in your API gateway so that authentication decisions made at the gateway are passed downstream to backend services via signed tokens.

Example 2: Implement an API gateway (like Azure API Management) that authenticates the calling service and includes verified identity claims in headers forwarded to backend APIs.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts