IA.L2-3.5.9 Temporary Passwords
Allow temporary password use for system logons with an immediate change to a permanent password.
Source: NIST SP 800-171 Rev 2 3.5.9
Discussion: Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.
Assessment Objectives:
Determine if:
- [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
SPRS Score: 1
POA&M Allowed: Yes