IAM-22—Password Authentication Standard: Federal Systems

>Control Description

Organization information systems obscure feedback of authentication information during the authentication process (e.g., the system does not disclose error information such as "'user1' is not a valid username") and have the following password requirements: • minimum of 12 characters • contains at least one upper-case letter, lower-case letter, number, and a special character • at least one of the characters is changed when the new passwords are created. • the password life span is between 1 to 60 days • password reuse is prohibited for 24 generations • only allow the use of temporary password system logons with an immediate change to a permanent password

Theme

Technology

Type

Preventive

Policy/Standard

Access Management Procedure

>Implementation Guidance

1. Ensure that failed authentication notes do not contain any error information. 2. Ensure that the password policy in the logical access system is defined as below: -Minimum 12 character length -Password complexity has one upper-case, lower-case, and a special character -Temporary Passwords are immediately changed to a permanent password -Passwords cannot be the same as the last 24 passwords -Passwords must be rotated at least every 60 days

>Testing Procedure

1. Inspect that failed authentication notes do not contain any error information. 2. Inspect that the password policy in the logical access system and ensure that it is defined as below: -Minimum 12 character length -Password complexity has one upper-case, lower-case, and a special character -Temporary Passwords are immediately changed to a permanent password -Passwords cannot be the same as the last 24 passwords -Passwords must be rotated at least every 60 days

>Audit Artifacts

E-IAM-28

E-IAM-18

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

CIS Controls
1

5.2

Ask AI

Configure your API key to use AI features.