Overview:
Allow temporary password use for system logons with an immediate change to a permanent password.
Action Items:
3.5.9[a]
Determine if: an immediate change to a permanent password is required when a temporary password is used for system logon.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].
2
Interview: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
3
Test: Mechanisms supporting or implementing password-based authenticator management capability].
Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) password policy
3) procedures addressing authenticator management
4) system security plan
5) system configuration settings and associated documentation
6) system design documentation
7) password configurations and associated documentation
8) other relevant documents or records
Additional Guidance:
Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.
Article ID: 157
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-temporary-passwords-3-5-9-157.html