This section is normative.
With the exception of identity proofing for the purposes of providing one-time access to an online service, or when an applicant declines enrollment into an account, the CSP SHALL enroll the applicant as a subscriber into its identity service and establish a unique subscriber account for that subscriber following the successful identity proofing of an applicant.
The CSP SHALL assign a unique identifier to each subscriber account.
At a minimum the CSP SHALL include the following information in each subscriber account:
The CSP SHALL record information in the subscriber account that was collected during the identity proofing process or subsequently updated for each subscriber, including:
The CSP SHALL perform a privacy risk assessment for the processing, retention, or disclosure of any personal information maintained in the subscriber account in accordance with Sec. 5.1.2.
In order to meet the requirement that accounts containing PII be protected by multi-factor authentication (MFA), the CSP SHALL provide a way for subscribers to access the information in their subscriber account through AAL2 or AAL3 authentication processes using authenticators registered to the subscriber account.
The CSP SHALL provide the capability for subscribers to change or update the personal information contained in their subscriber account.
The CSP SHALL establish and maintain a unique subscriber account for each active subscriber in the CSP identity system from the time of enrollment to the time of account closure, as described below. Until the account is closed, the CSP SHALL provide for the use of the subscriber account, information contained in the account, and registered authenticators.
The CSP SHALL terminate the subscriber account and discontinue its use when one of the following occur:
The CSP SHALL delete any personal or sensitive information from the subscriber account records following account termination in accordance with the record retention and disposal requirements.