IA.L2-3.5.9

  • Requirement

    Allow temporary password use for system logons with an immediate change to a permanent password.

  • Discussion

    Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.

More Info

  • Title

    Temporary Passwords
  • Domain

    Identification and Authentication
  • CMMC Level

    2
  • Related NIST 800-171 ID

  • Related NIST 800-53 ID

    IA-5(1)

  • DoD Scoring Methodology Points

    1

  • Reference Documents

    • N/A

  • Further Discussion

    Users must change their temporary passwords the first time they log in. Temporary passwords often follow a consistent style within an organization and can be more easily guessed than passwords created by the unique user. This approach to temporary passwords should be avoided.

    Example

    One of your duties as a systems administrator is to create accounts for new users. You configure all systems with user accounts to require users to change a temporary password upon initial login to a permanent password [a]. When a user logs on for the first time, they are prompted to create a unique password that meets all of the defined complexity rules.

    Potential Assessment Considerations

    • Are temporary passwords only valid to allow a user to perform a password reset [a]?
    • Does the system enforce an immediate password change after logon when a temporary password is issued [a]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!