03.05.12: Authenticator Management

Control Familly: Identification and Authentication

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-63-3 [27]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.05.12

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • IA-05

a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.

b. Establish initial authenticator content for any authenticators issued by the organization.

c. Establish and implement administrative procedures for initial authenticator distribution; for lost, compromised, or damaged authenticators; and for revoking authenticators.

d. Change default authenticators at first use.

e. Change or refresh authenticators [Assignment: organization-defined frequency] or when the following events occur: [Assignment: organization-defined events].

f. Protect authenticator content from unauthorized disclosure and modification.

Discussion:

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).

The requirement to protect individual authenticators may be implemented by 03.15.03 for authenticators in the possession of individuals and by 03.01.01, 03.01.02, 03.01.05, and 03.13.08 for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain hashed or encrypted passwords that are accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators.

Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when they are no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.

Assessment Methods and Objectives

Examine [SELECT FROM: identification and authentication policy and procedures; procedures for authenticator management; system configuration settings; list of system authenticator types; system design documentation; system audit records; change control records associated with managing system authenticators; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with authenticator management responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: mechanisms for supporting or implementing the authenticator management capability]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.05.12.ODP[01]: the frequency for changing or refreshing authenticators is defined.

A.03.05.12.ODP[02]: events that trigger the change or refreshment of authenticators are defined.

A.03.05.12.a: the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution is verified.

A.03.05.12.b: initial authenticator content for any authenticators issued by the organization is established.

A.03.05.12.c[01]: administrative procedures for initial authenticator distribution are established.

A.03.05.12.c[02]: administrative procedures for lost, compromised, or damaged authenticators are established.

A.03.05.12.c[03]: administrative procedures for revoking authenticators are established.

A.03.05.12.c[04]: administrative procedures for initial authenticator distribution are implemented.

A.03.05.12.c[05]: administrative procedures for lost, compromised, or damaged authenticators are implemented.

A.03.05.12.c[06]: administrative procedures for revoking authenticators are implemented.

A.03.05.12.d: default authenticators are changed at first use.

A.03.05.12.e: authenticators are changed or refreshed <A.03.05.12.ODP[01]: frequency> or when the following events occur: <A.03.05.12.ODP[02]: events>.

A.03.05.12.f[01]: authenticator content is protected from unauthorized disclosure.

A.03.05.12.f[02]: authenticator content is protected from unauthorized modification.