Navigate

IA-5(4)

IA-5(4): Automated Support for Password Strength Determination

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [one of ].

Supplemental

This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1).

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to IA-5(4).

Control	Description
CA-2	The organization: a: Develops a security assessment plan that describes the scope of the assessment including: 1: Security controls and control enhancements under assessment; 2: Assessment procedures to be used to determine security control effectiveness; and 3: Assessment environment, assessment team, and assessment roles and responsibilities; b: Assesses the security controls in the information system and its environment of operation [one of ] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c: Produces a security assessment report that documents the results of the assessment; and d: Provides the results of the security control assessment to [one of ].
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a: Establishment of [one of ] to be monitored; b: Establishment of [one of ] for monitoring and [one of ] for assessments supporting such monitoring; c: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e: Correlation and analysis of security-related information generated by assessments and monitoring; f: Response actions to address results of the analysis of security-related information; and g: Reporting the security status of organization and the information system to [one of ] [one of ].
RA-5	The organization: a: Scans for vulnerabilities in the information system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyzes vulnerability scan reports and results from security control assessments; d: Remediates legitimate vulnerabilities [one of ] in accordance with an organizational assessment of risk; and e: Shares information obtained from the vulnerability scanning process and security control assessments with [one of ] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Enhancements

The controls below (if any) add on to the requirements of IA-5(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-5(4).

CCI	Definition
CCI-001996	The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong.
CCI-001997	The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.