This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Additional FedRAMP Requirements and Guidance:
(L)(M) Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAp, FAL Level 2. Link https://pages.nist.gov/800-63-3.
(H) Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAp, FAL Level 3. Link https://pages.nist.gov/800-63-3.]
NIST 800-53 (r4) Supplemental Guidance:
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. Related Controls: AC-3, AC-6, CM-6, IA-2, IA-4, IA-7, IA-8, IA-9, MA-4, PE-2, PL-4, SC-12, SC-13.
38North Guidance:
Meets Minimum Requirement:
IA-5.a - Manages information system authenticators by:
- verifying, as part of the initial authenticator distribution, the identity of:
- the individual receiving the authenticator;
- the group receiving the authenticator;
- the role receiving the authenticator; and/or
- the device receiving the authenticator:
IA-5.c - Manages information system authenticators by:
- ensuring that authenticators have sufficient strength of mechanism for their intended
use.
IA-5.e - Manages information system authenticators by:
- changing default content of authenticators prior to information system installation.
IA-5.g - Manages information system authenticators by:
- changing/refreshing authenticators with the organization-defined time period by
authenticator type.
IA-5.h - Manages information system authenticators by:
- protecting authenticator content from unauthorized:
- disclosure
- modification
IA-5.i.2 - Manages information system authenticators by:
- having devices implement specific security safeguards to protect authenticators.
IA-5.i.j - Manages information system authenticators by:
- changing authenticators for group/role accounts when membership to those
accounts changes.
Best Practice:
Manage passwords and cryptography keys by verifying the identity of the person that credentials are given to.
Ensure MFA utilized to access the FedRAMP environment is FIPS-140-2 or FIPS-140-3 verified.
Implement automated mechanism processes to ensure default passwords are changed prior to being utilized for authentication into the FedRAMP environment
Complexity requirements need to be enforced by LDAP, GPO etc. for all passwords for authenticators.
If Active Directory (AD) is being utilized, reverse encryption should be set to disabled in AD to protect passwords from unauthorized disclosure in storage and in transit.
If shared/group accounts are utilized, passwords should be changed when someone leaves the group or FedRAMP environment.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots demonstrating the password change process from start to finish.
Email notifications of password change requests or email notifications of a password change.
Password policy settings for LDAP, Active Directory (AD), or application that is being offered to the customer.
CSP Implementation Tips: TBD