CMMC IA.2.080 - Limit Use of Temporary Password

CMMC IA.2.080 - Limit Use of Temporary Password

Requirement text: IA.2.080: Allow temporary password use for system logons with an immediate
change to a permanent password.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Changing temporary passwords to permanent passwords immediately after system logon
ensures that the necessary strength of the authentication mechanism is implemented at the
earliest opportunity, reducing the susceptibility to authenticator compromises.

CMMC CLARIFICATION
Users must change their temporary passwords the first time they log in. Temporary
passwords usually follow a consistent style within an organization and can be more easily
guessed than passwords created by the unique user.

Example
You are in charge of setting temporary passwords for your users. Users must change their
temporary passwords to a permanent password the first time they log in.

References
• NIST SP 800-171 Rev 1 3.5.9
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• NIST SP 800-53 Rev 4 IA-5(1)

    • Related Articles

    • CMMC IA.2.079 - Prohibit Password Reuse

      Requirement text: IA.2.079: Prohibit password reuse for a specified number of generations. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Password lifetime restrictions do not apply to temporary passwords. CMMC CLARIFICATION Individuals may not ...

    • CMMC IA.2.078 - Enforce Password Complexity

      Requirement text: IA.2.078: Enforce a minimum password complexity and change of characters when new passwords are created. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using ...

    • CMMC IA.3.083 - Use Multifactor Authentication

      Requirement text: IA.3.083: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Multifactor authentication requires the ...

    • CMMC IA.2.081 - Encrypt Passwords

      Requirement text: IA.2.081: Store and transmit only cryptographically-protected passwords. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See NIST ...

    • CMMC IA.1.077 – Verify Users, Processes and Devices

      Requirement text:  IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Individual ...