800-53|IA-5

Title

AUTHENTICATOR MANAGEMENT

Description

The organization manages information system authenticators by:

Supplemental

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

Reference Item Details

Related: AC-2,AC-3,AC-6,CM-6,IA-2,IA-4,IA-8,PL-4,PS-5,PS-6,SC-12,SC-13,SC-17,SC-28

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure Minimum Password Length is set to 14 or higherCheckPointCIS Check Point Firewall L1 v1.1.0
1.1.1 - /etc/security/user - 'mindiff >= 4'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 MS L1 v3.0.0
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Stand-alone v3.0.0 L1 + BL
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 v3.0.0 L1 MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Domain Controller
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 DC
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 Stand-alone v2.0.0 L1 MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 DC L1 v3.0.0
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Stand-alone v3.0.0 L1 NG
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 R2 MS L1 v3.0.0
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows Server 2012 R2 DC L1 v3.0.0
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 v3.0.1 L1 DC
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 v3.0.0 L1 DC
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + NG
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 11 Stand-alone v3.0.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 v3.0.1 L1 MS
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Stand-alone v3.0.0 L1
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Stand-alone v3.0.0 L1 BL NG
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0