Authenticator Management

The following policy provides guidance for the management of authenticators to include passwords. A password is a secret that a claimant memorizes and uses to authenticate the

claimant’s identity. Passwords are typically character strings. Strong passwords have a minimum

of eight alphanumeric characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Strong passwords do not have common words or permutations of the user name and multi-factor authenticators.

The use of a password by more than one individual is discouraged throughout HUD. However, there may be circumstances (e.g., operation of crisis management or operations centers, watch teams, and other duty personnel) that require the use of group USERIDs and passwords.

Multi-factor authentication is an authentication system or a token that uses more than one authentication factor. The three types of authentication factors are something you know, something you have, and something you are. Authentication requires that the Claimant prove, through a secure authentication protocol, that he or she controls the token. The Claimant unlocks the token with a password or biometric, or uses a secure multi-token authentication protocol to establish two-factor authentication (through proof of possession of a physical or software token in combination with some memorized secret knowledge). FIPS 201 and its attendant SP 800-73 and SP 800-76 specify a personal identity verification (PIV) card token for use in the unique identification and authentication of federal employees and contractors. In circumstances where Federal employees or contractors are not eligible or required to receive a PIV card, HUD relies on alternative multi-factor authentication mechanisms to ensure appropriate authentication strength and protection.

NIST SP 800-53 Control: IA-5 IA-5: The organization manages information system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

b. Establishing initial authenticator content for authenticators defined by the organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

e. Changing default content of authenticators prior to information system installation;

f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];

h. Protecting authenticator content from unauthorized disclosure and modification;

i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

j. Changing authenticators for group/role accounts when membership to those accounts changes.

Security Baseline: Low, Moderate, and High

NIST SP 800-53 Control: IA-5 E-1: The information system, for password-based authentication:

a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case

sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

b. Enforces at least the following number of changed characters when new passwords are created: [Assignment:

organization-defined number];

c. Stores and transmits only cryptographically-protected passwords;

d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

e. Prohibits password reuse for [Assignment: organization-defined number] generations; and

f. Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Security Baseline: Low, Moderate, and High

E-2: The information system, for PKI-based authentication:

a. Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

b. Enforces authorized access to the corresponding private key;

c. Maps the authenticated identity to the account of the individual or group; and

d. Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Security Baseline: Moderate and High

E-3: The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment:

organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].

Security Baseline: Moderate and High

E-11: The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].

Security Baseline: Low, Moderate, and High

NIST SP 800-53 Control: IA-5 HUD Policy: 5.1.5

a. Program Offices/System Owners ensure that authenticators are distributed to individuals and/or devices in accordance with the Department’s identity, credential and access management business processes.

b. The OCIO and OCHCO:

 Establish and maintain administrative procedures for initial authenticator distribution including in person receipt for PIV cards, for lost/compromised or damaged authenticators, for revoking authenticators, and for refreshing authenticators.

 Refresh PIV cards in accordance with Federal standards, but in no case should a PIV card be valid more than 5 years.

 Establish the minimum content for authenticators based on Federal Directives and Standards including Homeland Security Presidential Directive 12(HSPD-12) and FIPS 201, Personal Identity Verification for Federal Employees and Contractors, and supporting NIST Special Publications.

c. Program Offices/System Owners of information systems that require authentication controls over the Internet between outside parties and HUD utilize authentication mechanisms for the information system, in accordance with NIST SP 800-63, Electronic Authentication Guide.

d. Program Offices/System Owners ensure that information systems categorized as moderate or high-impact require multi-factor authentication. To the extent information systems are integrated into the Department’s Single Sign-On infrastructure, they are not required to establish system-specific authentication mechanisms.

e. In those systems where user identity is authenticated by password:

 The system ISSO determines and enforces appropriate measures to ensure that strong passwords are used.

 The system ISSO develops and implements administrative procedures for initial password distribution, for lost/compromised passwords, and for revoking passwords.

 The system ISSO determine and enforce the appropriate frequency for changing Passwords in accordance with HUD policy established under §5.2.2.

 The system shall ensure that users cannot reuse a password for at least eight iterations.

 The system shall ensure that passwords are not displayed when entered.

 The system shall protect passwords from unauthorized disclosure and modification when stored and transmitted.

 Users shall not share personal passwords.

f. Users shall select strong passwords and not reuse old passwords. All passwords are required to be 8 characters in length including 1 upper case, 1 number and 1 special character (e.g., !, @, #, $).

g. Use of group passwords shall be limited to situations dictated by operational necessity or those critical for mission accomplishment. Use of a Group User ID and password must be approved by the appropriate Authorizing Official.