Navigate

CCI-000182

CCI-000182 Definition

Manage system authenticators by changing or refreshing authenticators in accordance with the organization-defined time period by authenticator type or when organization-defined events occur.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements procedures for changing/refreshing authenticators in the following time periods: CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years. DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented procedures for authenticator change/refresh to ensure the procedures are defined. The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data to ensure that authenticators are changed or refreshed in the following time periods: CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years. DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract Password: 60 days Biometrics: every 3 years.

Compelling Evidence

1.) Signed and dated Key Management Policy implementing procedures for changing/refreshing authenticators.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000182.

Control	Description
IA-5	The organization manages information system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b: Establishing initial authenticator content for authenticators defined by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e: Changing default content of authenticators prior to information system installation; f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g: Changing/refreshing authenticators [organization-defined time period by authenticator type]; h: Protecting authenticator content from unauthorized disclosure and modification; i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j: Changing authenticators for group/role accounts when membership to those accounts changes.

Control

Description

IA-5

The organization manages information system authenticators by:

a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

b: Establishing initial authenticator content for authenticators defined by the organization;

c: Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

e: Changing default content of authenticators prior to information system installation;

f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

g: Changing/refreshing authenticators [organization-defined time period by authenticator type];

h: Protecting authenticator content from unauthorized disclosure and modification;

i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

j: Changing authenticators for group/role accounts when membership to those accounts changes.