3.5.9 has a weight of -1 points

(Identification and Authentication Family) 9/11

Allow temporary password use for system logons with an immediate change to a permanent password.

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan: Use of Temporary Passwords with Immediate Change to Permanent Passwords

  1. Policy Statement: The organization has implemented a policy to allow the use of temporary passwords for system logons, with an immediate change to a permanent password.
  2. Temporary Password Generation:
  3. Temporary passwords are generated and provided to users upon registration or password reset requests.
  4. Temporary passwords are designed to be strong and unique.
  5. Password Change upon System Logon:
  6. Users are required to change their temporary passwords to permanent passwords immediately after their initial system logon.
  7. The system enforces password complexity requirements, including minimum length, character types, and expiration period for the permanent passwords.
  8. Authentication Mechanism Strength:
  9. By changing temporary passwords to permanent passwords at the earliest opportunity, the organization ensures that a strong authentication mechanism is in place from the start.
  10. This measure reduces the susceptibility to authenticator compromises and enhances the overall security of the system.
  11. User Notifications:
  12. Users are informed about the use of temporary passwords and the immediate change requirement during the logon process.
  13. Users are advised to choose strong, unique permanent passwords to safeguard their accounts.
  14. Password Expiration and Renewal:
  15. The system is configured to enforce password expiration for permanent passwords based on organizational security policies.
  16. Users are prompted to renew their passwords regularly to maintain the security of their accounts.
  17. Monitoring and Auditing:
  18. The IT security team regularly monitors the system logs to ensure compliance with the policy of using temporary passwords and immediate password changes.
  19. Any deviations from the policy are investigated and addressed promptly.
  20. User Training and Awareness:
  21. The organization conducts periodic security awareness training for users, emphasizing the importance of using temporary passwords securely and changing them immediately upon logon.
  22. Exceptions:
  23. Exceptions to the policy may be granted on a case-by-case basis, subject to approval by the appropriate authority (e.g., IT security manager).
  24. All exceptions are documented, justified, and periodically reviewed.

 

Example of Plan of Action and Milestones ( POA & M):

Milestone 1: Policy Review and Approval

  • Review the existing policy on the use of temporary passwords with immediate change to permanent passwords to ensure compliance with NIST 800-171 requirements and organizational security needs. [Target Date]
  • Obtain approval from the appropriate authority (e.g., IT security manager) for any necessary policy revisions. [Target Date]

Milestone 2: Temporary Password Generation

  • Establish procedures to generate strong and unique temporary passwords for users upon registration or password reset requests. [Target Date]
  • Ensure that temporary passwords meet the organization’s complexity requirements and are designed to be resilient against unauthorized access. [Target Date]

Milestone 3: Password Change upon System Logon

  • Configure the system to require users to change their temporary passwords to permanent passwords immediately after their initial system logon. [Target Date]
  • Implement password complexity requirements, including minimum length, character types, and expiration period, for the permanent passwords. [Target Date]

Milestone 4: Authentication Mechanism Strength

  • By changing temporary passwords to permanent passwords at the earliest opportunity, ensure that a strong authentication mechanism is in place from the start. [Target Date]
  • Conduct a risk assessment to evaluate the potential impact of unauthorized access through temporary passwords and implement mitigations. [Target Date]

Milestone 5: User Notifications

  • Develop user notifications during the logon process to inform users about the use of temporary passwords and the requirement for immediate password changes. [Target Date]
  • Advise users to choose strong and unique permanent passwords to safeguard their accounts. [Target Date]

Milestone 6: Password Expiration and Renewal

  • Configure the system to enforce password expiration for permanent passwords based on organizational security policies. [Target Date]
  • Implement password renewal prompts to remind users to change their passwords regularly for account security. [Target Date]

Milestone 7: Monitoring and Auditing

  • Set up monitoring and auditing capabilities to regularly review system logs for compliance with the temporary password policy. [Target Date]
  • Define criteria for detecting deviations from the policy and establish reporting mechanisms for addressing non-compliant instances. [Target Date]

Milestone 8: User Training and Awareness

  • Conduct periodic security awareness training for users, emphasizing the importance of using temporary passwords securely and changing them immediately upon logon. [Target Date]
  • Provide guidance on password best practices and the significance of strong authentication mechanisms. [Target Date]

Milestone 9: Exception Handling Process Implementation

  • Develop and implement a process for granting exceptions to the policy on a case-by-case basis. [Target Date]
  • Define the approval authority for handling exceptions and ensure all exceptions are documented, justified, and periodically reviewed. [Target Date]

Milestone 10: Policy Rollout and Communication

  • Publish the updated policy on the use of temporary passwords with immediate change to permanent passwords and distribute it to all relevant stakeholders. [Target Date]
  • Communicate the policy changes to users, administrators, and IT staff to ensure awareness and compliance. [Target Date
RELEVANT INFORMATION:

Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.