SI-4 / A.8.16 / CIS-8.11 NIST SP 800-53 Rev 5

IdP availability monitored

Demonstrate that the organization continuously monitors Identity Provider availability with automated alerting mechanisms that detect service degradation or outages in time to trigger incident response procedures.

Description

What this control does

This control requires continuous monitoring of Identity Provider (IdP) availability and performance to ensure authentication services remain operational. Monitoring systems track uptime, response times, authentication success/failure rates, and service health metrics with automated alerting when thresholds are breached or outages occur. The control is critical because IdP unavailability blocks user access to all federated applications and services, creating business disruption and potential security blind spots when authentication logs fail to generate.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Prolonged IdP outage preventing legitimate users from accessing critical business applications without timely detection
Degraded authentication performance causing user lockouts or application timeouts that appear as sporadic failures rather than systemic issues
Delayed detection of distributed denial-of-service attacks targeting the IdP infrastructure
Inability to correlate authentication failures with infrastructure events during post-incident investigations due to missing availability telemetry
Cascading failures in dependent applications that timeout waiting for IdP responses without early warning
Service Level Agreement breaches with federated partners due to undetected IdP performance degradation
Security team unaware of authentication bypass attempts disguised as service availability issues

Testing procedure

How an auditor verifies this control

Request the current IdP monitoring configuration documentation identifying all monitored metrics, thresholds, and alert definitions
Obtain access to the monitoring dashboard or system used to track IdP availability and review the last 90 days of availability data
Verify that synthetic transaction monitoring or health checks actively test authentication workflows from external network perspectives
Review alert configuration to confirm automated notifications trigger for critical metrics including service availability below 99%, authentication response time exceeding defined thresholds, and elevated error rates
Examine incident response records for the past six months to identify at least one instance where IdP monitoring alerts triggered investigative or remediation actions
Interview the security operations or infrastructure team to confirm 24/7 monitoring coverage and validate escalation procedures when alerts fire
Test alert functionality by requesting evidence of a recent test alert or coordinating a controlled monitoring test during the audit period
Review integration between IdP monitoring tools and the organization's SIEM or centralized logging platform to confirm availability events correlate with authentication logs

Evidence required Collect monitoring system configuration exports showing IdP health check definitions, alerting rules, and threshold values. Obtain screenshots or reports demonstrating 30-90 days of historical availability metrics, uptime percentages, and response time trends. Gather incident tickets, alert notifications, or escalation records proving that monitoring alerts triggered operational responses during actual or simulated IdP degradation events.

Pass criteria The control passes if automated monitoring actively tracks IdP availability metrics with defined thresholds, generates alerts when service degradation occurs, and demonstrated evidence shows the monitoring system successfully detected at least one availability event that triggered documented response actions within the audit period.

Where this control is tested

Audit programs including this control

SSO Health Check

Single sign-on is only as strong as the apps it covers and the policies behind it. Quick check…