Identity and Access Management¶

Automating Account Management¶

KSI-IAM-AAM

Changelog:

2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

The lifecycle and privileges of all accounts, roles, and groups are securely managed using automation.

Related SP 800-53 Controls: AC-02 (02), AC-02 (03), AC-02 (13), AC-06 (07), IA-04 (04), IA-12, IA-12 (02), IA-12 (03), IA-12 (05)

Adopting Passwordless Methods¶

KSI-IAM-APM

Changelog:

2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Secure passwordless methods are used for user authentication and authorization when feasible, otherwise strong passwords with phishing-resistant MFA is used.

Related SP 800-53 Controls: AC-03, IA-05 (01), IA-05 (02), IA-05 (06), IA-06, AC-02, IA-02, IA-02 (01), IA-02 (02), IA-02 (08), IA-05, IA-08, SC-23

Ensuring Least Privilege¶

KSI-IAM-ELP

Changelog:

2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Identity and access management measures are used and persistently reviewed to ensure each user or device can only access the resources they need.

Related SP 800-53 Controls: AC-02 (05), AC-02 (06), AC-03, AC-04, AC-06, AC-12, AC-14, AC-17, AC-17 (01), AC-17 (02), AC-17 (03), AC-20, AC-20 (01), CM-02 (07), CM-09, IA-02, IA-03, IA-04, IA-04 (04), IA-05 (02), IA-05 (06), IA-11, PS-02, PS-03, PS-04, PS-05, PS-06, SC-04, SC-20, SC-21, SC-22, SC-23, SC-39, SI-03

Terms: Persistently

Authorizing Just-in-Time¶

KSI-IAM-JIT

Changelog:

2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

A least-privileged, role and attribute-based, and just-in-time security authorization model is used and persistently reviewed for all user and non-user accounts and services.