CCI-001621

Implement organization-defined security controls to manage the risk of compromise due to individuals having accounts on multiple systems.

Implementation Guidance

The organization being inspected/assessed documents and implements policies and user training including advising users not to use the same password for any of the following: Domains of differing classification levels. More than one domain of a classification level (e.g., internal agency network and Intelink). More than one privilege level (e.g., user, administrator).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented policies as well as training records to ensure that the organization being inspected/assessed implements policies and training advising users not to use the same password for any of the following: Domains of differing classification levels. More than one domain of a classification level (e.g., internal agency network and Intelink). More than one privilege level (e.g., user, administrator).

Compelling Evidence

1.) Signed and dated SOP/TTP documenting user training requirements 2.) Training records for all users 3.) Training documentation used to train users

The controls below (if any) were marked by NIST as being related to CCI-001621.