Defined Password Lifetime, v1.0

Defines conformance and assessment criteria for compliance with minimum security requirements for defined password lifetime as related to overall identification and authentication requirements.
If an assessment step references organization-defined elements (E.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), corresponding citations/excerpts must be provided to confirm that the organization has established and documented these values and that they apply as referenced in the conformance criteria.

Similarly, if a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]) is specified, evidence must be provided to establish that the option(s) implemented by the organization have been defined and documented.

The assessment step shall not be marked as satisfied without this evidence.

Assessment Steps (2)

1
Password Lifetime Minimum (PasswordLifetimeMinimum)
For password-based authentication, does the information system enforce password minimum lifetime restrictions of <organization-defined numbers for lifetime minimum>?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the minimum time period (in days) between permitted password changes.
A3
Provide the maximum time period (in days) before a password change is required.
Parameter
Password Lifetime Minimumrequired
NUMBER : Provide the minimum time period (in days) permitted between password changes.
2
Password Lifetime Maximum (PasswordLifetimeMaximum)
For password-based authentication, does the information system enforce password maximum lifetime restrictions of <organization-defined numbers for lifetime maximum>?
Artifacts
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A2
Provide the minimum time period (in days) between permitted password changes.
A3
Provide the maximum time period (in days) before a password change is required.
Parameter
Password Lifetime Maximum (Days)required
NUMBER : Provide the maximum lifetime enforced by the information system before passwords must be changed.
If conformance criteria reference organization-defined elements (e.g. <organization-defined personnel or roles>, <organization-defined frequency>, etc.), these values must be defined and documented by the organization.

Similarly, if the criteria specify a "Selection" among multiple options (e.g. [Selection (one or more): as needed; ]), the option(s) implemented by the organization must also be defined and documented.

Conformance Criteria (2)

C1
For password-based authentication, the information system must enforce password minimum and maximum lifetime restrictions of <organization-defined numbers for lifetime minimum, lifetime maximum>.
Citation
SP800-53R4
Appendix F, IA-5 (1)
C2
For password-based authentication, the information system must enforce password minimum and maximum lifetime restrictions of <organization-defined numbers for lifetime minimum, lifetime maximum>.
Citation
SP800-53R4
Appendix F, IA-5 (1)