Title

The system is not configured to disable a users account after three notifications of password expiration. (Cat II impact)

Discussion

Requirement: The IAO will ensure that users will be prompted by the system three times to change their passwords before or after the password has reached the maximum password lifetime. If the user fails to change their password, their account will be disabled The user should be notified three times after their password has expired. If the user does not change their password after three notifications, the system should disable the account and require the ISSO/IAO or other designated individual intervention to reactivate the account. This measure ensures that all users comply with mandatory password changes.

Check Content

>TABLE OFCENG; EXPIRED_PASSWORD_GRACE = 3

Fix Text

Ensure the DSN component is configured to disable a user account after the user has received three notifications of password expiration.

Additional Identifiers

Rule ID: SV-8455r1_rule

Vulnerability ID: V-7969

Group Title: Access not disabled after password expiration

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.