πΌ IA-5(1) Password-based Authentication (L)(M)(H)
- ID:
/frameworks/fedramp-moderate-security-controls/ia/05/01
Descriptionβ
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].
IA-5 (1) Additional FedRAMP Requirements and Guidance:
Guidance: Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).
Requirement: Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.
(h) Requirement: For cases where technology doesnβt allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.
For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.
Similarβ
- Sections
/frameworks/fedramp-high-security-controls/ia/05/01
- Internal
- ID:
dec-c-ab7872ee
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ FedRAMP High Security Controls β πΌ IA-5(1) Password-based Authentication (L)(M)(H) | 1 | 8 | no data |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (8)β
| Policy | Logic Count | Flags | Compliance |
|---|---|---|---|
| π‘οΈ AWS Account IAM Password Policy minimum password length is 14 characters or lessπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS Account IAM Password Policy Number of passwords to remember is not set to 24π’ | 1 | π’ x6 | no data |
| π‘οΈ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authenticationπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted trafficπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS CloudFront Web Distribution uses default SSL/TLS certificateπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS CloudFront Web Distribution uses Dedicated IP for SSLπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Originsπ’ | 1 | π’ x6 | no data |
| π‘οΈ AWS S3 Bucket Policy is not set to deny HTTP requestsπ’ | 1 | π’ x6 | no data |