Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.  Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.  [SP 800-63-3] provides guidance on digital identities. 

Priority: High  

Category:  Identity & Access Management (IAM) 

Services Associated with AWS:  

  • AWS Identity and Access Management (IAM), AWS Certificate Manager, AWS Directory Service, AWS Single Sign-On 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Are the accounts in use assigned and managed by the company’s central management system? Are accounts uniquely assigned to new employees, contractors, or subcontractors upon hire? Are initial passwords given to new hires reset upon first use? Are all passwords at least 2 characters with uppercase, lowercase, letters, numbers, and special characters?


  • Authenticate User, Process, and Device Identities
    Description: This check ensures that organizational systems implement authentication mechanisms to verify the identities of users, processes, and devices before granting access. Authentication methods may include passwords, key cards, cryptographic devices, and one-time password devices. Organizations establish and enforce authentication policies, such as minimum password length and validation time window for one-time tokens, to ensure secure authentication practices. It is important to avoid using default authentication credentials, as they are often easily discoverable and pose a significant security risk. System components should not ship with factory default authentication credentials, and organizations should change the initial authenticator content upon installation. Authenticator management includes issuing and revoking authenticators, as well as managing temporary access for remote maintenance. Device authenticators, such as certificates and passwords, are also considered in the authentication process.

More Details:   

Users must authenticate with unique credentials prior to accessing systems containing CUI.