FedRAMP Controls / IA
IA-5(2) Public Key-based Authentication
Family IA
Baselines moderate
Mapped KSIs 4
Control statement
(a) For public key-based authentication:
(1) Enforce authorized access to the corresponding private key; and
(2) Map the authenticated identity to the account of the individual or group; and
(b) When public key infrastructure (PKI) is used:
(1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and
(2) Implement a local cache of revocation data to support path discovery and validation. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-IAM-02 | Passwordless Authentication Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA. | Identity and Access Management |
| KSI-IAM-03 | Non-User Accounts Enforce appropriately secure authentication methods for non-user accounts and services. | Identity and Access Management |
| KSI-IAM-05 | Least Privilege _Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need. | Identity and Access Management |
| KSI-SVC-06 | Secret Management Automate management, protection, and regular rotation of digital keys, certificates, and other secrets. | Service Configuration |