IA-4 IDENTIFIER MANAGEMENT

Page last updated:

PCF Compliance

Identifiers for components within the PCF deployment are managed by BOSH, and the underlying Cloud Provider Interface (CPI). With High Probability, all identifiers are unique in a deployment, and not shared or reused. At the time of a new BOSH deployment, it is expected that, e.g. IP addresses in the CIDR range of the PAS private subnet may be reused. However, the BOSH director ensures that each IP address in the CIDE subnet will be uniquely assigned for a given deployment operation. Assignment of host identifiers is visible in audit logs of the BOSH director, PCF, and/or the CPI.

Identifiers used by external entities such as end users or end user devices are the responsibility of the deployer.


Control Description

The organization manages information system identifiers by:

  1. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
  2. Selecting an identifier that identifies an individual, group, role, or device;
  3. Assigning the identifier to the intended individual, group, role, or device;
  4. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
  5. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

Supplemental Guidance

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.