PR.AA-04
Identity assertions are protected, conveyed, and verified
Implementation examples
- Ex1: Protect identity assertions that are used to convey authentication and user information through single sign-on systems
- Ex2: Protect identity assertions that are used to convey authentication and user information between federated systems
- Ex3: Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions
Mapped NIST 800-53 r5 controls (1)
Mapped CWE weaknesses (3)
Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.
All informative references (28)
- CCMv4.0: IAM-01
- CCMv4.0: IAM-03
- CCMv4.0: IAM-16
- CRI Profile v2.0: PR.AA-04
- CRI Profile v2.0: PR.AA-04.01
- ISO/IEC 27001:2022: Mandatory Clause: None
- ISO/IEC 27001:2022: Annex A Controls: 5.16
- NICE Framework: DD-WRL-001
- NICE Framework: IO-WRL-002
- NICE Framework: IO-WRL-003
- NICE Framework: IO-WRL-005
- NICE Framework: OG-WRL-013
- NICE Framework: OG-WRL-014
- NICE Framework: PD-WRL-004
- OWASP Top 10 LLM Applications: LLM06-2025
- PCI DSS: 12.3.3
- PCI DSS: 3.6.1
- PCI DSS: 3.6.1.1
- PCI DSS: 3.6.1.2
- PCI DSS: 3.6.1.3
- PCI DSS: 3.6.1.4
- PCI DSS: 4.2.1
- SCF: IAC-01.2
- SCF: IAC-02.2
- SDOS: SDOS-AU-01
- SDOS: SDOS-IA-01
- SP 800-53 Rev 5.1.1: IA-13
- SP 800-53 Rev 5.2.0: IA-13
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).