137 – Change temporary passwords of third parties

Summary

The system must force the change of temporary passwords, which are generated by a third party, after their first use.

Description

Temporary passwords are often harder to remember and shared over systems whose future integrity may not be guaranteed by the system that created them. Furthermore, there is no control over who has access to the secret besides the third party. Therefore, the passwords should be changed after their first use.

Supported In

Advanced: True

References

• NIST80063-6_1_1. Binding at enrollment
• MITRE-M1027. Password policies
• CMMC-IA_L2-3_5_9. Temporary passwords
• HITRUST-01_d. User password management
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_g. Managing changes to third party services
• FEDRAMP-IA-5_3. Authenticator management - In-person or trusted third-party registration
• FEDRAMP-PS-7. Third-party personnel security
• NIST800171-5_9. Allow temporary password use for system logons with an immediate change to a permanent password
• SIG-H_3_1_8. Access control

Last updated

2023/09/18