Dear Dr. RMF,
RMF IA-4 Identification Management control is not easy. It has so many rabbit holes. I am not sure how to tackle this control. Could you please simplify this control for me. Let’s say for IA-4 Identifier Management, the information system is a web application/web server. For the web application or web site, the user’s digital certificate is used to log on. In this case, how would an IS prevent reuse of identifiers? Each identifier is unique. This identifier is issued and managed by DOD. Does this mean IA 4.4 (the organization manages IS identifiers by assigning identifier) be Not Applicable because the user’s identifier is their digital certificate Since the IA-4.4, talks about not only individuals but also devices, should we take this from the perspective of a device only? Is this control asking how we manage Active Directory name for devices? Lastly, could this control be even inheritable? The last assessor stated it should be inheritable but did not say from whom? I can’t see who I could even inherit this from. Maybe a Datacenter?
Rabbit Holes
Dear Rabbit Holes,
It sounds like you’re in quite the RMF tizzy. First, we need to look at what the control is requiring. IA-4 pertains to individuals, groups, roles, and devices. It sounds like your individual identifier management is handled via DoD CAC. Ideally you would be able to inherit compliance for that from the agency that issues CACs but unfortunately, that’s not set up for inheritance. I would suggest you consider that portion of the control compliant. The agency that issues the CAC has measures in place to ensure that they are unique, not reused, etc. Next, you need to look at your system and determine if your system utilizes groups. If so, how do you manage the groups? Do the same for roles and devices. IA-4 is a complex control, but it is manageable if you take it apart and look at it piece by piece. Hope this helps!