Skip to main content

IAC-10.1: Password-Based Authentication

IAC 9 — Critical Protect

Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.

Control Question: Does the organization enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication?

General (45)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.6-POF2
CIS CSC 8.1 5.2
CIS CSC 8.1 IG1 5.2
CIS CSC 8.1 IG2 5.2
CIS CSC 8.1 IG3 5.2
CSA CCM 4 IAM-02 IAM-14 IAM-15
CSA IoT SCF 2 IAM-18 IAM-19 IAM-21
GovRAMP Core IA-05(01)
GovRAMP Low IA-05(01)
GovRAMP Low+ IA-05(01)
GovRAMP Moderate IA-05(01)
GovRAMP High IA-05(01)
IEC 62443-4-2 2019 CR 1.5 (5.7.1) CR 1.7 (5.9.1) CR 1.7 (5.9.1(1))
ISO 27002 2022 5.17
ISO 27017 2015 9.2.4 9.4.3
MPA Content Security Program 5.1 TS-1.6
NIST 800-53 R4 IA-5(1)
NIST 800-53 R4 (low) IA-5(1)
NIST 800-53 R4 (moderate) IA-5(1)
NIST 800-53 R4 (high) IA-5(1)
NIST 800-53 R5 (source) IA-5(1)
NIST 800-53B R5 (low) (source) IA-5(1)
NIST 800-53B R5 (moderate) (source) IA-5(1)
NIST 800-53B R5 (high) (source) IA-5(1)
NIST 800-63B 5.1.1.1 5.1.1.2 5.2.2
NIST 800-82 R3 LOW OT Overlay IA-5(1)
NIST 800-82 R3 MODERATE OT Overlay IA-5(1)
NIST 800-82 R3 HIGH OT Overlay IA-5(1)
NIST 800-171 R2 (source) 3.5.7
NIST 800-171A (source) 3.5.7[a] 3.5.7[b] 3.5.7[c] 3.5.7[d]
NIST 800-171 R3 (source) 03.05.07.e 03.05.07.f 03.05.12.b 03.05.12.c 03.05.12.d 03.05.12.e 03.05.12.f
NIST 800-171A R3 (source) A.03.05.07.ODP[02] A.03.05.07.f
OWASP Top 10 2021 A07:2021
PCI DSS 4.0.1 (source) 8.3 8.3.1 8.3.10.1 8.3.3 8.3.5 8.3.6 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ A (source) 8.3.1 8.3.5 8.3.6 8.3.7 8.3.9
PCI DSS 4.0.1 SAQ A-EP (source) 8.3.1 8.3.3 8.3.5 8.3.6 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ C (source) 8.3.1 8.3.3 8.3.5 8.3.6 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ C-VT (source) 8.3.1 8.3.6
PCI DSS 4.0.1 SAQ D Merchant (source) 8.3.1 8.3.3 8.3.5 8.3.6 8.3.7 8.3.9 8.6.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.3.1 8.3.3 8.3.5 8.3.6 8.3.7 8.3.9 8.3.10.1 8.6.3
SWIFT CSF 2023 4.1
UL 2900-1 2017 8.3
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-10.1
SCF CORE ESP Level 2 Critical Infrastructure IAC-10.1
SCF CORE ESP Level 3 Advanced Threats IAC-10.1
US (28)
Framework Mapping Values
US C2M2 2.1 ACCESS-1.B.MIL1 ACCESS-1.D.MIL2
US CISA CPG 2022 2.B 2.L
US CJIS Security Policy 5.9.3 (source) IA-5 IA-5(1)
US CMMC 2.0 Level 2 (source) IA.L2-3.5.7
US CMMC 2.0 Level 3 (source) IA.L2-3.5.7
US CMS MARS-E 2.0 IA-5(1)
US DoD Zero Trust Execution Roadmap 1.8.1
US FDA 21 CFR Part 11 11.300 11.300(a) 11.300(b) 11.300(c) 11.300(d) 11.300(e)
US FedRAMP R4 IA-5(1)
US FedRAMP R4 (low) IA-5(1)
US FedRAMP R4 (moderate) IA-5(1)
US FedRAMP R4 (high) IA-5(1)
US FedRAMP R4 (LI-SaaS) IA-5(1)
US FedRAMP R5 (source) IA-5(1)
US FedRAMP R5 (low) (source) IA-5(1)
US FedRAMP R5 (moderate) (source) IA-5(1)
US FedRAMP R5 (high) (source) IA-5(1)
US FedRAMP R5 (LI-SaaS) (source) IA-5(1)
US HIPAA HICP Medium Practice 3.M.C
US HIPAA HICP Large Practice 3.M.C
US IRS 1075 IA-5(1)
US NERC CIP 2024 (source) CIP-007-6 5.5.1 CIP-007-6 5.5.2
US SSA EIESR 8.0 5.3
US TSA / DHS 1580/82-2022-01 III.C.1.a
US - CA CCPA 2025 7123(c)(1)(B)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.7(b) 500.7(c)(2)
US - TX TX-RAMP Level 1 IA-5(1)
US - TX TX-RAMP Level 2 IA-5(1)
EMEA (9)
Framework Mapping Values
EMEA EU PSD2 4
EMEA Germany C5 2020 IDM-09 PSS-07
EMEA Israel CDMO 1.0 4.35 12.15 12.16
EMEA Saudi Arabia CSCC-1 2019 2-2-1-5
EMEA Saudi Arabia IoT CGIoT-1 2024 2-2-2
EMEA Saudi Arabia ECC-1 2018 2-2-3-1
EMEA Saudi Arabia OTCC-1 2022 2-2-1-8
EMEA Saudi Arabia SACS-002 TPC-2
EMEA Spain CCN-STIC 825 7.2.5 [OP.ACC.5]
APAC (5)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0417 ISM-0421 ISM-0422 ISM-1557 ISM-1558 ISM-1596 ISM-1795
APAC Australia IoT Code of Practice Principle 1
APAC Japan ISMAP 9.2.4 9.2.4.9.PB 9.4.3
APAC New Zealand NZISM 3.6 16.1.35.C.01 16.1.35.C.02 16.1.42.C.01 16.1.43.C.01
APAC Singapore MAS TRM 2021 9.1.4
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.05.07.E 03.05.07.F 03.05.12.B 03.05.12.C 03.05.12.D 03.05.12.E 03.05.12.F

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • Administrative processes and technologies enforce password complexity to ensure strong passwords.
  • Administrative processes and technologies ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
  • Administrative processes and technologies enforce password complexity to ensure strong passwords.
  • Administrative processes and technologies ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.

Assessment Objectives

  1. IAC-10.1_A01 for password-based authentication, a list of commonly used, expected or compromised passwords is maintained and updated frequently and when organizational passwords are suspected to have been compromised directly or indirectly.
  2. IAC-10.1_A02 for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected or compromised passwords.
  3. IAC-10.1_A03 for password-based authentication, passwords are only transmitted over cryptographically protected channels.
  4. IAC-10.1_A04 for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash.
  5. IAC-10.1_A05 for password-based authentication, immediate selection of a new password is required upon account recovery.
  6. IAC-10.1_A06 for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters.
  7. IAC-10.1_A07 for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators.
  8. IAC-10.1_A08 organization-defined composition and complexity rules for passwords are enforced.
  9. IAC-10.1_A09 password composition and complexity rules are defined.
  10. IAC-10.1_A10 password change of character requirements are defined.
  11. IAC-10.1_A11 minimum password complexity requirements, as defined, are enforced when new passwords are created.
  12. IAC-10.1_A12 minimum password change of character requirements as defined are enforced when new passwords are created.
  13. IAC-10.1_A13 the following composition and complexity rules for passwords are enforced: <A.03.05.07.ODP[02]: rules>.

Technology Recommendations

Micro/Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Medium

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Large

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Enterprise

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free