NIST Cybersecurity Framework PR.AC-6: Identity Proofing and Binding
Identity proofing and credential binding are foundational to preventing unauthorized access and impersonation attacks. PR.AC-6 requires that user identities are verified and securely linked to authentication credentials before system interactions. This control ensures only legitimate users can assert their identity and access protected resources.
What this means
This control mandates that organizations establish processes to verify user identities are authentic and that verified identities are cryptographically or securely bound to the credentials users present during authentication. Identity proofing means validating that a person is who they claim to be through initial enrollment. Binding means linking that verified identity to specific credentials (passwords, certificates, biometrics, MFA tokens) so that only the legitimate identity holder can use those credentials. When users interact with systems, their asserted identity must be traceable back to the proofed and bound credential.
How to comply
- 1.Establish identity verification procedures during user enrollment that validate government-issued ID, employment records, or other authoritative sources
- 2.Document identity proofing requirements by user role and system sensitivity level
- 3.Implement credential binding mechanisms that cryptographically link verified identities to authentication factors
- 4.Use multi-factor authentication to bind identity to multiple independent credential types
- 5.Maintain identity and credential binding records with audit trails
- 6.Periodically re-verify identities and re-bind credentials, especially for high-risk accounts
- 7.Implement directory services (Active Directory, LDAP) that enforce binding between user identities and login credentials
- 8.Log and monitor all identity assertion events to detect binding violations
Evidence auditors look for
- Identity verification policy documents showing verification methods required by role
- User enrollment records with supporting identity documentation copies
- Active Directory or directory service configurations showing identity-credential bindings
- MFA enrollment records showing multiple credential types bound to each identity
- Access control lists mapping verified identities to system credentials
- Audit logs showing successful identity proofing events with dates and verifying personnel
- Re-verification schedules and completion records for periodic identity validation
- Credential binding test results confirming unauthorized credentials cannot authenticate
- Identity assertion logs showing each login includes verified identity reference
- Procedures for investigating and remedying identity-credential binding mismatches
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates identity proofing documentation and credential binding verification by integrating with your directory services to map identities to credentials, generating audit-ready evidence exports that prove binding compliance without manual log reviews.
See how GRCWatch handles this control automatically
Start free trial