IA-5 What is the solution and how is it implemented?
Part a
Part b
Part c
Part d
Part e
Part f
Part g
Part h
Part i
Part j
IA-5 (1) Control Enhancement (H)
The information system, for password-based authentication:
Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
Enforces at least the following number of changed characters when new passwords are created: [FedRAMP Assignment: at least fifty percent (50%)];
Stores and transmits only cryptographically-protected passwords;
Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
Prohibits password reuse for [FedRAMP Assignment: twenty-four (24)] generations; and
Allows the use of a temporary password for system logons with an immediate change to a permanent password.
IA-5 (1) a and d Additional FedRAMP Requirements and Guidance:
Guidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
IA-5 (1) What is the solution and how is it implemented?
Part a
Part b
Part c
Part d
Part e
Part f
IA-5 (2) Control Enhancement (M) (H)
The information system, for PKI-based authentication:
Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
Enforces authorized access to the corresponding private key;
Maps the authenticated identity to the account of the individual or group; and
Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
IA-5 (2)
Control Summary Information
Responsible Role:
Implementation Status (check all that apply):
☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable
Control Origination (check all that apply):
☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
IA-5 (2) What is the solution and how is it implemented?
