{"id":1195,"date":"2024-07-17T17:04:07","date_gmt":"2024-07-17T17:04:07","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1195"},"modified":"2024-09-06T21:02:22","modified_gmt":"2024-09-06T21:02:22","slug":"ia-5-authenticator-management","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/identification-and-authentication-ia\/ia-5-authenticator-management\/","title":{"rendered":"IA-5: Authenticator Management"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">IA-5: Authenticator Management<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: &nbsp;<\/strong>Low<strong> <\/strong>&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By: &nbsp;<\/strong>07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: &nbsp;<\/strong>07\/10\/2024&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Passwords and other authenticators must be treated as confidential information in accordance with <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Texas A&amp;M University System (TAMUS) Regulation&nbsp;29.01.03, Information Security<\/a>:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Users are prohibited from sharing their password or authenticator with any other person. <\/li>\n\n\n\n<li>If the confidentiality of a password or authenticator is in doubt, it must be changed immediately.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator.&nbsp;<\/li>\n\n\n\n<li>Initial authenticator content for any authenticators issued by the university is completed in accordance with established procedures.&nbsp;<\/li>\n\n\n\n<li>Changing default or assigned passwords prior to first use.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Passwords must be protected both in storage and in transit.&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>When passwords are stored, they must be stored as a hash encryption as specified by <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/identification-and-authentication-ia\/ia-7-cryptographic-module-authentication\/\" data-type=\"page\" data-id=\"1201\">Control IA-7, Cryptographic Module Authentication<\/a>.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Where feasible, password hashes should be salted.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Passwords must be encrypted when transmitted.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt if it is a one-time transmission and the user must also change the password upon first logon.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Users will be directed to use a self-service password reset when they need to change their password. If a user is not able to perform a self-service reset, their identity must be verified before the password is changed.&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>The password must be changed to a temporary password; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>The user must change the temporary password at first logon (where applicable).&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>When automated password generation programs are utilized:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Non-predictable methods of generation must be used;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Where feasible, systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Where feasible, password management and automated password generation systems must have the capability to maintain auditable transaction logs containing information such as:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Time and date of password change, expiration, and administrative reset;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Type of action performed; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Source system (e.g. IP and\/or MAC address) that originated the change request.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If a password or other authenticator is assumed to be compromised, the event must be reported as a security incident following <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/incident-response-ir\/ir-6-incident-reporting\/\" data-type=\"page\" data-id=\"1219\">Control IR-6, Incident Reporting<\/a>.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Where feasible, the following password complexity requirements will be implemented:&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>The password must be 8 characters or more.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The password may not be reused from the previous 10 passwords.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Privileged accounts must have additional complexity.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Any additional password complexity requirements as defined by the applicable Group Policy and <a href=\"https:\/\/www.tarleton.edu\/technology\/wp-content\/uploads\/sites\/170\/2022\/07\/password-auth-standard.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Tarleton Office of Innovative Technology Services (OITS) \u2013 Password Authentication Standards<\/a>; in addition to any applicable internal procedures referencing password complexity requirements.\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Where feasible, user selected passwords must be checked to ensure that they meet complexity requirements by a password audit system.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The information resource custodian responsible for a group\/role account (e.g. a service account) will ensure that the password or authenticator is changed immediately when a user&#8217;s authorization to use the account is revoked.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\">References\/Additional Resources<\/h3>\n\n\n\n<p><a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TAMUS Regulation\u00a029.01.03, Information Security<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.tarleton.edu\/technology\/wp-content\/uploads\/sites\/170\/2022\/07\/password-auth-standard.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Tarleton OITS \u2013 Password Authentication Standards<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IA-5: Authenticator Management NIST Baseline: &nbsp;Low &nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: &nbsp;07\/10\/2024&nbsp; References\/Additional Resources TAMUS Regulation\u00a029.01.03, Information Security Tarleton OITS \u2013 Password Authentication Standards<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1399,"menu_order":6,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1195","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on July 17, 2024","modified":"Updated on September 6, 2024"},"absolute_dates_time":{"created":"Posted on July 17, 2024 5:04 pm","modified":"Updated on September 6, 2024 9:02 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1195"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1195\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}