Skip to content
ATO Pathways
  Log In

CCI-004061

For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

Logo
1

Rule

Severity: Medium
For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The application must prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: Medium
The Central Log Server must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The DBMS must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The DNS server implementation must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The operating system must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The PASSWORD History Count value must be set to 10 or greater.
Logo
1

Rule

Severity: Medium
CA-ACF2 must prevent the use of dictionary words for passwords.
Logo
1

Rule

Severity: Medium
ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.
Logo
1

Rule

Severity: Medium
The CA-TSS NEWPW control options must be properly set.
Logo
1

Rule

Severity: Medium
The CA-TSS PWHIST Control Option must be set to 10 or greater.
Logo
1

Rule

Severity: Medium
The CA-TSS PPHIST Control Option must be properly set.
Logo
1

Rule

Severity: Medium
The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.
Logo
1

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
1

Rule

Severity: Medium
The Ivanti EPMM server must prohibit password reuse for a minimum of four generations.
Logo
1

Rule

Severity: Medium
The Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: High
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
Logo
1

Rule

Severity: Medium
The Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
2

Rule

Severity: Medium
The password history must be configured to 24 passwords remembered.
Logo
1

Rule

Severity: Medium
Windows Server 2019 password history must be configured to 24 passwords remembered.
Logo
1

Rule

Severity: Medium
Windows Server 2022 password history must be configured to 24 passwords remembered.
Logo
1

Rule

Severity: Medium
The network device must be configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.
Logo
1

Rule

Severity: Medium
The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Low
Splunk Enterprise must prohibit password reuse for a minimum of five generations for the account of last resort.
Logo
1

Rule

Severity: Low
Splunk Enterprise must be configured to prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
Logo
1

Rule

Severity: Medium
The use of a Solidcore 8.x local Command Line Interface (CLI) Access Password must be documented in the organizations written policy.
Logo
1

Rule

Severity: Medium
The VMM must for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in ia-5 (1) (a).
Logo
1

Rule

Severity: Medium
The ESXi host must prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: Medium
The web server must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Logo
1

Rule

Severity: Medium
The vCenter Server must prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: Medium
The Photon operating system must prohibit password reuse for a minimum of five generations.
Logo
1

Rule

Severity: Medium
The Photon operating system must be configured to use the pam_pwhistory.so module.
Logo
1

Rule

Severity: High
Apple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations.
Logo
1

Rule

Severity: Medium
The UEM server must prohibit password reuse for a minimum of five generations.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules