NIST CSF 2.0 · All Functions · PR Protect · PR.AA Identity Management, Authentication, and Access Control

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

Implementation examples

Ex1: Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed
Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, cryptographic keys (i.e., key management), and other credentials
Ex3: Select a unique identifier for each device from immutable hardware characteristics or an identifier securely provisioned to the device
Ex4: Physically label authorized hardware with an identifier for inventory and servicing purposes

Mapped NIST 800-53 r5 controls (14)

AC-01 AC-02 AC-14 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-10 IA-11

Mapped CWE weaknesses (7)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1391←P →P CWE-200→P CWE-269←P →M CWE-284→P CWE-285→P CWE-287→P CWE-798→P

All informative references (103)

CCMv4.0: CEK-01
CCMv4.0: CEK-10
CCMv4.0: CEK-11
CCMv4.0: CEK-12
CCMv4.0: CEK-13
CCMv4.0: CEK-14
CCMv4.0: CEK-15
CCMv4.0: CEK-16
CCMv4.0: CEK-17
CCMv4.0: CEK-18
CCMv4.0: CEK-19
CCMv4.0: CEK-20
CCMv4.0: CEK-21
CCMv4.0: DCS-08
CCMv4.0: IAM-01
CCMv4.0: IAM-03
CCMv4.0: IAM-06
CCMv4.0: IAM-07
CCMv4.0: IAM-09
CCMv4.0: IAM-13
CCMv4.0: IAM-14
CCMv4.0: IAM-15
CCMv4.0: IAM-16
CCMv4.0: UEM-14
CIS Controls v8.0: 5.1
CIS Controls v8.0: 6.7
CIS Controls v8.1: 5.1
CIS Controls v8.1: 5.6
CIS Controls v8.1: 6.7
CRI Profile v2.0: PR.AA-01
CRI Profile v2.0: PR.AA-01.01
CRI Profile v2.0: PR.AA-01.02
CSF v1.1: PR.AC-1
IRP: IRP-Sec-4
IRP: IRP-Sec-4
IRP: IRP-Sec-4
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.15
ISO/IEC 27001:2022: Annex A Controls: 5.18
ISO/IEC 27001:2022: Annex A Controls: 8.2
ISO/IEC 27001:2022: Annex A Controls: 8.5
NICE Framework: DD-WRL-001
NICE Framework: IO-WRL-003
NICE Framework: IO-WRL-005
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: PD-WRL-004
OWASP Top 10 LLM Applications: LLM02-2025
OWASP Top 10 LLM Applications: LLM06-2025
PCI DSS: 8.2.1
PCI DSS: 8.6.2
PCI DSS: 8.6.3
PCI DSS: 3.6.1
PCI DSS: 3.6.1.1
PCI DSS: 3.6.1.2
PCI DSS: 3.6.1.3
PCI DSS: 3.6.1.4
PCI DSS: 9.5.1.1
PCI DSS: 12.5.1
SCF: IAC-02
SCF: IAC-03
SCF: IAC-04
SCF: IAC-05
SDOS: SDOS-IA-01
SDOS: SDOS-IA-02
SP 800-171 Rev 3: 03.01.01
SP 800-171 Rev 3: 03.05.01
SP 800-171 Rev 3: 03.05.02
SP 800-171 Rev 3: 03.05.03
SP 800-171 Rev 3: 03.05.04
SP 800-171 Rev 3: 03.05.05
SP 800-171 Rev 3: 03.05.07
SP 800-171 Rev 3: 03.05.11
SP 800-171 Rev 3: 03.05.12
SP 800-171 Rev 3: 03.15.01
SP 800-53 Rev 5.1.1: AC-01
SP 800-53 Rev 5.1.1: AC-02
SP 800-53 Rev 5.1.1: AC-14
SP 800-53 Rev 5.1.1: IA-01
SP 800-53 Rev 5.1.1: IA-02
SP 800-53 Rev 5.1.1: IA-03
SP 800-53 Rev 5.1.1: IA-04
SP 800-53 Rev 5.1.1: IA-05
SP 800-53 Rev 5.1.1: IA-06
SP 800-53 Rev 5.1.1: IA-07
SP 800-53 Rev 5.1.1: IA-08
SP 800-53 Rev 5.1.1: IA-09
SP 800-53 Rev 5.1.1: IA-10
SP 800-53 Rev 5.1.1: IA-11
SP 800-53 Rev 5.2.0: AC-01
SP 800-53 Rev 5.2.0: AC-02
SP 800-53 Rev 5.2.0: AC-14
SP 800-53 Rev 5.2.0: IA-01
SP 800-53 Rev 5.2.0: IA-02
SP 800-53 Rev 5.2.0: IA-03
SP 800-53 Rev 5.2.0: IA-04
SP 800-53 Rev 5.2.0: IA-05
SP 800-53 Rev 5.2.0: IA-06
SP 800-53 Rev 5.2.0: IA-07
SP 800-53 Rev 5.2.0: IA-08
SP 800-53 Rev 5.2.0: IA-09
SP 800-53 Rev 5.2.0: IA-10
SP 800-53 Rev 5.2.0: IA-11

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).