PR.AA-01 Identity Management - NIST CSF 2.0 Checklist

PR.AA-01 requires organizations to identities and credentials for authorized users, services and hardware are managed by the organization. This NIST CSF 2.0 control falls under the Protect (PR) function and the Identity Management, Authentication and Access Control category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.AA-01
Title: Identity Management
Function: Protect (PR)
Category: Identity Management, Authentication and Access Control
Framework: NIST CSF 2.0

Identities and credentials for authorized users, services and hardware are managed by the organization.

Identities and credentials for authorized users, services and hardware are managed by the organization. This covers the full lifecycle of digital identities from provisioning through revocation.

Why This Matters

Compromised or orphaned credentials are involved in the majority of breaches. Proper identity lifecycle management reduces the window of opportunity for attackers using stolen or abandoned accounts.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.AA-01.

Implement a formal identity provisioning process tied to HR onboarding
Enforce credential strength requirements including minimum password complexity
Conduct user access reviews at least quarterly for privileged accounts
Revoke access within 24 hours of employee termination
Manage service accounts with the same rigor as user accounts
Maintain an identity provider with centralized authentication

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.AA-01 during an audit.

Identity provisioning workflow documentation
Password policy or credential strength requirements
Quarterly access review reports with remediation actions
Termination access revocation logs with timestamps
Service account inventory with owners and review dates

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.AA-01.

Terminated employee accounts remain active for weeks or months
Service accounts are created with no owner and never reviewed
Access reviews cover only a subset of systems rather than all access

FAQ

What does PR.AA-01 require?

PR.AA-01 (Identity Management) requires that identities and credentials for authorized users, services and hardware are managed by the organization. This covers the full lifecycle of digital identities from provisioning through revocation. This control is part of the NIST CSF 2.0 Protect function under the Identity Management, Authentication and Access Control category.

How do I prove compliance with PR.AA-01?

To demonstrate compliance with PR.AA-01, prepare the following evidence: Identity provisioning workflow documentation; Password policy or credential strength requirements; Quarterly access review reports with remediation actions. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment