Navigate

CCI-000184

CCI-000184 Definition

Manage system authenticators by requiring individuals to take, and having devices implement, specific security controls to protect authenticators.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators. - system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators.

Validation Procedures

Examine: [SELECT FROM: Identification and authentication policy; system security plan; addressing authenticator management; system design documentation; system configuration settings and associated documentation; list of system authenticator types; change control records associated with managing system authenticators; system audit records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Mechanisms supporting and/or implementing authenticator management capability].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000184.

Control	Description
IA-5	Manage system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b: Establishing initial authenticator content for any authenticators issued by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e: Changing default authenticators prior to first use; f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur; g: Protecting authenticator content from unauthorized disclosure and modification; h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i: Changing authenticators for group or role accounts when membership to those accounts changes.

Control

Description

IA-5

Manage system authenticators by:

a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;

b: Establishing initial authenticator content for any authenticators issued by the organization;

c: Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;

e: Changing default authenticators prior to first use;

f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur;

g: Protecting authenticator content from unauthorized disclosure and modification;

h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and

i: Changing authenticators for group or role accounts when membership to those accounts changes.