03.05.05 — (a) Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier. (b) Select and assign an identifier that identifies an individual, group, role, service, or device. (c) Prevent the reuse of identifiers for {{ insert: param, A.03.05.05.ODP.01 }}. (d) Manage individual identifiers by uniquely identifying each individual as {{ insert: param, A.03.05.05.ODP.02 }}.

What this control requires

(a) Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier. (b) Select and assign an identifier that identifies an individual, group, role, service, or device. (c) Prevent the reuse of identifiers for {{ insert: param, A.03.05.05.ODP.01 }}. (d) Manage individual identifiers by uniquely identifying each individual as {{ insert: param, A.03.05.05.ODP.02 }}.

Source: NIST SP 800-171 R3 §03.05.05 (official control text).

Why this matters

Identifier management ensures every user, device, and service account has a unique, authorized identity that can be tracked through its entire lifecycle. Without proper identifier discipline, orphaned accounts accumulate, former employees retain access, and audit logs become ambiguous. This control prevents identifier reuse that could allow a new hire to inherit another person's permissions or mask malicious activity behind a recycled username. Organizations must distinguish contractors, vendors, and non-employees in their naming conventions so staff recognize external parties in emails, file shares, and collaboration tools—reducing social engineering risk and accidental data exposure.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls