03.05.06 —
What this control requires
Source: NIST SP 800-171 R3 §03.05.06 (official control text).
Why this matters
When identifiers and authentication credentials are managed poorly, adversaries can impersonate legitimate users, escalate privileges, or persist undetected in your environment. This control requires organizations to establish formal procedures for issuing, tracking, revoking, and auditing all user identifiers and authenticators—from initial provisioning through offboarding. Without documented workflows, credentials accumulate over time, orphaned accounts remain active, and there's no audit trail proving who authorized what access. Strong identifier management directly reduces insider threat risk and ensures you can prove chain-of-custody for every authentication mechanism in your environment.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.05.06.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →