UCF STIG Viewer Logo

IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION


Overview

Number Title Impact Priority Subject Area
IA-9 Service Identification And Authentication P0 Identification And Authentication

Instructions
The organization identifies and authenticates Assignment: organization-defined information system services using Assignment: organization-defined security safeguards.
Guidance
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.

Enhancements
IA-9 (1) Information Exchange

The organization ensures that service providers receive, validate, and transmit identification and authentication information.

IA-9 (2) Transmission Of Decisions
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions.

The organization ensures that identification and authentication decisions are transmitted between Assignment: organization-defined services consistent with organizational policies.