Title

Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention. (Cat II impact)

Discussion

Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day, allows users to cycle password through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Eensure that user passwords are not allowed to be changed for at least 24 hours after change operation.

Additional Identifiers

Rule ID: SV-8449r1_rule

Vulnerability ID: V-7963

Group Title: Password change interval (24 hours) not enforced

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.