Navigate

CCI-001990

CCI-001990 Definition

Manage system authenticators by changing authenticators for group or role accounts when membership to those accounts changes.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements procedures for changing authenticators for group/role accounts when membership to those accounts changes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented procedures for group/role authenticator change to ensure the procedures are defined and applied when membership to those accounts changes. The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data and documentation of personnel role changes to ensure that group/role authenticators are changed when membership changes.

Compelling Evidence

1.) Signed and dated Key Management Policy for changing authenticators for group/role accounts when membership to those accounts change 2.) Signed and dated SOP/TTP for passwords, ensuring procedures in place for changing authenticators for group/role accounts when membership to those account changes.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001990.

Control	Description
IA-5	The organization manages information system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b: Establishing initial authenticator content for authenticators defined by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e: Changing default content of authenticators prior to information system installation; f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g: Changing/refreshing authenticators [organization-defined time period by authenticator type]; h: Protecting authenticator content from unauthorized disclosure and modification; i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j: Changing authenticators for group/role accounts when membership to those accounts changes.

Control

Description

IA-5

The organization manages information system authenticators by:

a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

b: Establishing initial authenticator content for authenticators defined by the organization;

c: Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

e: Changing default content of authenticators prior to information system installation;

f: Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

g: Changing/refreshing authenticators [organization-defined time period by authenticator type];

h: Protecting authenticator content from unauthorized disclosure and modification;

i: Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

j: Changing authenticators for group/role accounts when membership to those accounts changes.