>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.5.9Identification and Authentication - Derived

Derived Requirement

>Control Description

Allow temporary password use for system logons with an immediate change to a permanent password.

>Discussion

Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.

>Cross-Framework Mappings

CMMC

IA.L2-3.5.9
Compare

SCF

IAC-10
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address identification and authentication - derived for CUI systems?
  • Who is accountable for implementing and maintaining identification and authentication - derived controls?
  • How frequently are identification and authentication - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with identification and authentication - derived requirements?
  • How are exceptions to identification and authentication - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce identification and authentication - derived in your CUI environment?
  • How are identification and authentication - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support identification and authentication - derived compliance?
  • How do you validate that identification and authentication - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary identification and authentication - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves identification and authentication - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how identification and authentication - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing identification and authentication - derived compliance?
  • Can you show evidence of a recent review or assessment of identification and authentication - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate identification and authentication - derived compliance?

Ask AI

Configure your API key to use AI features.