Navigate

CCI-001610

CCI-001610 Definition

Defines the time-period (by authenticator type) for changing/refreshing authenticators.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years.

Validation Procedures

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years.

Compelling Evidence

Automatically Compliant

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001610.

Control	Description
IA-5	The organization manages information system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b: Establishing initial authenticator content for authenticators defined by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e: Changing default content of authenticators prior to information system installation; f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g: Changing/refreshing authenticators [organization-defined time period by authenticator type]; h: Protecting authenticator content from unauthorized disclosure and modification; i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j: Changing authenticators for group/role accounts when membership to those accounts changes.

Control

Description

IA-5

The organization manages information system authenticators by:

a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

b: Establishing initial authenticator content for authenticators defined by the organization;

c: Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

e: Changing default content of authenticators prior to information system installation;

f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

g: Changing/refreshing authenticators [organization-defined time period by authenticator type];

h: Protecting authenticator content from unauthorized disclosure and modification;

i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

j: Changing authenticators for group/role accounts when membership to those accounts changes.