If you strip most cyber incidents down to their root cause, you will usually find the same failure:
Someone—or something—had access they should not have had.
It might be:
A compromised employee account
An administrator with too much privilege
A service account that was never rotated
A vendor account that was never removed
Tools fail. Controls misfire. Alerts get missed.
But identity and access failures quietly bypass them all.
That is why PR.AA – Identity Management, Authentication, and Access Control is the first category in the NIST CSF 2.0 Protect function. It represents the moment where cybersecurity stops being abstract planning and starts becoming real enforcement.
How PR.AA Fits Into the Big Picture
Up to this point, the Identify function helped answer:
What assets exist? (ID.AM)
What risks matter most? (ID.RA)
How do we learn and improve over time? (ID.IM)
The Protect function answers the next logical question:
“Now that we know what matters—how do we stop bad things from happening?”
PR.AA is the foundation of that answer.
If Identify tells you what you need to protect,
PR.AA determines who is allowed near it.
What Is PR.AA (In Simple Terms)?
PR.AA ensures that only the right people, systems, and services can access the right things, in the right way, at the right time.
It covers three tightly related areas:
Identity Management
Knowing who or what is requesting accessAuthentication
Proving that identity is legitimateAccess Control
Deciding what that identity is allowed to do
Importantly, NIST CSF 2.0 makes it clear that identity is not just people.
Identities include:
Employees
Contractors
Vendors
Administrators
Applications
APIs
Cloud workloads
Automated services
If it can log in, connect, or authenticate—it is an identity.
Why Identity Is So Critical Today
In older environments, security relied heavily on:
Corporate networks
Firewalls
Physical office locations
Those boundaries are gone.
Today:
Users work remotely
Applications live in the cloud
Data is accessed through SaaS
Vendors connect directly into environments
Because of this shift:
Identity has become the new perimeter.
Attackers no longer try to “break in” noisily.
They try to log in quietly.
Common PR.AA Mistakes (Especially in Growing Programs)
Understanding what not to do is just as important.
1. “We Have MFA, So We’re Good”
Multi-factor authentication is important—but it is not enough.
If a user:
Has excessive access
Retains access after changing roles
Keeps admin rights permanently
Then MFA only protects bad decisions more securely.
2. Treating Identity as an IT Problem
Identity is often owned by IT, but access risk belongs to the business.
Security teams enforce controls.
Business leaders decide who needs access to what.
When this line blurs, privilege creep explodes.
3. Ignoring Non-Human Accounts
Service accounts and APIs often:
Have broad permissions
Never expire
Are poorly monitored
These accounts are frequently involved in major breaches because they are powerful and invisible.
How to Implement PR.AA in a Clear, Practical Way
1. Start by Knowing Your Identities
At a minimum, organizations should be able to answer:
How many identities exist?
Which are human vs non-human?
Which identities are privileged?
Who owns each identity?
If an identity has no owner, it is unmanaged risk.
2. Match Authentication Strength to Risk
Not every action requires the same level of trust.
For example:
Reading public data ≠ administering production systems
Internal access ≠ remote access
Temporary access ≠ permanent access
Mature programs apply stronger authentication where the impact is higher, rather than everywhere equally.
3. Enforce Least Privilege as a Habit
Least privilege means:
Access is granted based on real business need
Access is removed when it’s no longer needed
Elevated access is temporary whenever possible
Think of access like keys:
You borrow them when needed
You return them when finished
You don’t keep every key “just in case”
4. Control Privileged Access Carefully
Administrator and high-risk access should:
Be limited to a small population
Require additional approval
Be logged and monitored
Expire automatically
Standing admin privileges are one of the most common and dangerous weaknesses in cybersecurity programs.
5. Make Access Decisions Understandable and Auditable
Good PR.AA programs allow anyone to answer:
Who approved this access?
Why was it granted?
How long is it valid?
When was it last reviewed?
This clarity protects both the organization and the individuals involved.
Metrics That Help Everyone Understand Progress
Metrics should explain how well access is controlled, not just which tools are deployed.
Simple, Foundational Metrics
% of users with MFA enabled
% of privileged accounts identified
% of identities with a documented owner
Time to remove access after termination
These are easy to grasp and extremely informative.
Better Risk-Focused Metrics
Number of standing privileged accounts
Average duration of elevated access
% of access approved by business owners
Privilege reductions over time
These show whether risk is actually decreasing.
What “Good” Looks Like (At Any Level)
A healthy PR.AA capability means:
Access is intentional, not accidental
Privilege is earned, justified, and temporary
Business owners understand their responsibility
Identity decisions can be explained without panic
Security enables work without becoming a blocker
For beginners, this creates clarity.
For new CISOs, it creates confidence and credibility.
Final Thoughts
You can invest in the best security tools available.
You can write the strongest policies.
You can design beautiful architectures.
But if identity and access are weak, attackers will simply walk around all of it.
NIST CSF 2.0 places PR.AA at the front of Protect because security starts with trust—and trust must be enforced.
If Identify tells you what matters,
Protect—starting with identity—decides who can touch it.