💼 IA-5(1) Password-based Authentication (L)(M)(H)
- ID:
/frameworks/fedramp-low-security-controls/ia/05/01
Description
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].
IA-5 (1) Additional FedRAMP Requirements and Guidance:
Guidance: Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).
Requirement: Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.
(h) Requirement: For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.
For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.
Similar
- Sections
/frameworks/nist-sp-800-53-r5/ia/05/01/frameworks/fedramp-high-security-controls/ia/05/01
- Internal
- ID:
dec-c-ab7872ee
- ID:
Similar Sections (Take Policies From)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H) | 1 | 8 | no data | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication | 8 | no data |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (8)
| Policy | Logic Count | Flags | Compliance |
|---|---|---|---|
| 🛡️ AWS Account IAM Password Policy minimum password length is 14 characters or less🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢 | 1 | 🟢 x6 | no data |
| 🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢 | 1 | 🟢 x6 | no data |