NIST PR.AC-1: Identity and Credential Management
PR.AC-1 requires organizations to issue, manage, verify, revoke, and audit identities and credentials across all authorized devices, users, and processes. Without proper identity governance, unauthorized access becomes a critical risk. This control forms the foundation of your access control strategy.
What this means
Identity and credential management means establishing a complete lifecycle for how your organization creates, maintains, validates, and removes access credentials. This includes implementing centralized identity systems, enforcing multi-factor authentication, maintaining audit logs for all credential activities, and rapidly revoking access when users leave or roles change. The control applies to human users, service accounts, and automated processes accessing your systems.
How to comply
- 1.Implement a centralized identity and access management (IAM) platform to issue and manage credentials for all users, devices, and processes
- 2.Establish credential lifecycle policies defining creation, validation, rotation, and revocation procedures
- 3.Enable multi-factor authentication (MFA) for all user accounts and enforce it across applications
- 4.Conduct quarterly credential audits to verify active accounts match current authorized personnel and roles
- 5.Automate credential revocation workflows triggered by employee termination, role changes, or system deprovisioning
- 6.Monitor and log all credential-related events including issuance, modification, use, and revocation
- 7.Define and enforce credential complexity requirements including minimum length, character types, and expiration policies
- 8.Implement just-in-time (JIT) access provisioning to minimize standing privileged credentials
Evidence auditors look for
- IAM platform configuration screenshots showing user creation and role assignment workflows
- MFA enforcement policies and audit reports showing adoption rates across systems
- Credential lifecycle procedures documentation with defined timelines for rotation and revocation
- Monthly access reviews showing verification of active credentials against current employee rosters
- Deprovisioning logs showing credential revocation within defined timeframes after user offboarding
- Audit logs with timestamps for all credential management events including creation, changes, and deletions
- Password policy documentation enforcing complexity, expiration, and historical restrictions
- Privileged access management (PAM) logs demonstrating just-in-time credential provisioning
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates credential lifecycle tracking and audit logging, eliminating manual spreadsheet reviews and instantly flagging orphaned accounts during quarterly compliance audits.
See how GRCWatch handles this control automatically
Start free trial