NIST CSF 2.0 · All Functions · PR Protect

PR.AA — Identity Management, Authentication, and Access Control

Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access

PR.AA-01

Identities and credentials for authorized users, services, and hardware are managed by the organization

4 implementation example(s) · 14 mapped NIST 800-53 control(s)

PR.AA-02

Identities are proofed and bound to credentials based on the context of interactions

2 implementation example(s) · 1 mapped NIST 800-53 control(s)

PR.AA-03

Users, services, and hardware are authenticated

4 implementation example(s) · 10 mapped NIST 800-53 control(s)

PR.AA-04

Identity assertions are protected, conveyed, and verified

3 implementation example(s) · 1 mapped NIST 800-53 control(s)

PR.AA-05

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

4 implementation example(s) · 12 mapped NIST 800-53 control(s)

PR.AA-06

Physical access to assets is managed, monitored, and enforced commensurate with risk

3 implementation example(s) · 9 mapped NIST 800-53 control(s)

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).