The organization manages information system authenticators by:
- Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
- Establishing initial authenticator content for authenticators defined by the organization;
- Ensuring that authenticators have sufficient strength of mechanism for their intended use;
- Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
- Changing default content of authenticators prior to information system installation;
- Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
- Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
- Protecting authenticator content from unauthorized disclosure and modification;
- Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
- Changing authenticators for group/role accounts when membership to those accounts changes.
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.
The information system, for password-based authentication: Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; Stores and…
The information system, for PKI-based authentication: Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; Enforces authorized access to the corresponding private key; Maps the authenticated identity to the account of the individual or group; and Implements a local cache of revocation data to support…
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.
The information system dynamically provisions identities.
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
The organization uses only FICAM-approved path discovery and validation products and services.