Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ia-5(1)

authenticator management  | password-based authentication

assessment objective:

Determine if, for password-based authentication:

ia-5(1)(a)

ia-5(1)(a)[1]

the organization defines requirements for case sensitivity;

ia-5(1)(a)[2]

the organization defines requirements for number of characters;

ia-5(1)(a)[3]

the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

ia-5(1)(a)[4]

the organization defines minimum requirements for each type of character;

ia-5(1)(a)[5]

the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

ia-5(1)(b)

ia-5(1)(b)[1]

the organization defines a minimum number of changed characters to be enforced when new passwords are created;

ia-5(1)(b)[2]

the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

ia-5(1)(c)

the information system stores and transmits only encrypted representations of passwords;

ia-5(1)(d)

ia-5(1)(d)[1]

the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

ia-5(1)(d)[2]

the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

ia-5(1)(d)[3]

the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

ia-5(1)(d)[4]

the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

ia-5(1)(e)

ia-5(1)(e)[1]

the organization defines the number of password generations to be prohibited from password reuse;

ia-5(1)(e)[2]

the information system prohibits password reuse for the organization-defined number of generations; and

ia-5(1)(f)

the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

potential assessment methods and objects:

Examine: [select from: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers].

Test: [select from: Automated mechanisms supporting and/or implementing password-based authenticator management capability].