Basic Security Requirements:
5.1 Identify information system users, processes acting on behalf of users, or devices.
5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Derived Security Requirements:
5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
5.5 Prevent reuse of identifiers for a defined period.
5.6 Disable identifiers after a defined period of inactivity.
5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
5.8 Prohibit password reuse for a specified number of generations.
5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
5.10 Store and transmit only encrypted representation of passwords.
5.11 Obscure feedback of authentication information.