STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (1) — Authenticator Management

CCI-004061

Definition

For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

Parent Control

IA-5 (1)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (58)

V-263534CAT IIFor password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).AAA Services Security Requirements Guide V-274140CAT IIAmazon Linux 2023 must prevent the use of dictionary words for passwords.Amazon Linux 2023 Security Technical Implementation Guide V-267992CAT IApple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278752CAT IApple iOS/iPadOS 26 must be configured to enforce a passcode reuse prohibition of at least two generations.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-276384CAT IApple visionOS 2 must be configured to enforce a passcode reuse prohibition of at least two generations.Apple visionOS 2 Security Technical Implementation Guide V-282793CAT IApple visionOS 26 must be configured to enforce a passcode reuse prohibition of at least two generations.Apple visionOS 26 Security Technical Implementation Guide V-222546CAT IIThe application must prohibit password reuse for a minimum of five generations.Application Security and Development Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-270704CAT IIUbuntu 24.04 LTS must prevent the use of dictionary words for passwords.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263577CAT IIThe Central Log Server must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Central Log Server Security Requirements Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-263594CAT IIThe container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Container Platform Security Requirements Guide V-263613CAT IIThe DBMS must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Database Security Requirements Guide V-269805CAT IIThe Dell OS10 Switch must not have any default manufacturer passwords when deployed.Dell OS10 Switch NDM Security Technical Implementation Guide V-263635CAT IIThe DNS server implementation must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-263653CAT IIThe operating system must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).General Purpose Operating System Security Requirements Guide V-268217CAT IIThe HYCU virtual appliance must not have any default manufacturer passwords when deployed.HYCU Protege Security Technical Implementation Guide V-256878CAT IIThe PASSWORD History Count value must be set to 10 or greater.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-223477CAT IICA-ACF2 must prevent the use of dictionary words for passwords.IBM z/OS ACF2 Security Technical Implementation Guide V-223508CAT IIACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.IBM z/OS ACF2 Security Technical Implementation Guide V-223728CAT IIThe IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.IBM z/OS RACF Security Technical Implementation Guide V-223886CAT IIThe CA-TSS NEWPW control options must be properly set.IBM z/OS TSS Security Technical Implementation Guide V-223890CAT IIThe CA-TSS PWHIST Control Option must be set to 10 or greater.IBM z/OS TSS Security Technical Implementation Guide V-223891CAT IIThe CA-TSS PPHIST Control Option must be properly set.IBM z/OS TSS Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251408CAT IIThe Ivanti EPMM server must prohibit password reuse for a minimum of four generations.Ivanti EPMM Server Security Technical Implementation Guide V-241811CAT IIThe Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations.Jamf Pro v10.x EMM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263678CAT IIThe Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Mainframe Product Security Requirements Guide V-270475CAT IIMicrosoft Entra ID must, for password-based authentication, verify when users create or update passwords that the passwords are not found on the list of commonly used, expected, or compromised passwords.Microsoft Entra ID Security Technical Implementation Guide V-253300CAT IIThe password history must be configured to 24 passwords remembered.Microsoft Windows 11 Security Technical Implementation Guide V-205660CAT IIWindows Server 2019 password history must be configured to 24 passwords remembered.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254288CAT IIWindows Server 2022 password history must be configured to 24 passwords remembered.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278036CAT IIWindows Server 2025 password history must be configured to 24 passwords remembered.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-264299CAT IIThe network device must be configured to verify, when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.Network Device Management Security Requirements Guide V-279580CAT IINutanix OS must prevent using dictionary words for passwords.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279603CAT IINutanix VMM must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords.Nutanix Acropolis GPOS Security Technical Implementation Guide V-273209CAT IIOkta must prohibit password reuse for a minimum of five generations.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-270587CAT IIOracle Database must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a).Oracle Database 19c Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275656CAT IIUbuntu OS must be configured so that when passwords are changed or new passwords are established, pwquality must be used.Riverbed NetIM OS Security Technical Implementation Guide V-221635CAT IIISplunk Enterprise must prohibit password reuse for a minimum of five generations for the account of last resort.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251688CAT IIISplunk Enterprise must be configured to prohibit password reuse for a minimum of five generations.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279283CAT IIThe Edge SWG must be configured to verify when users create or update passwords, and that the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.Symantec Edge SWG NDM Security Technical Implementation Guide V-213317CAT IIThe use of a Solidcore 8.x local Command Line Interface (CLI) Access Password must be documented in the organizations written policy.Trellix Application Control 8.x Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-282764CAT IITOSS 5 must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234368CAT IIThe UEM server must prohibit password reuse for a minimum of five generations.Unified Endpoint Management Server Security Requirements Guide V-258912CAT IIThe vCenter Server must prohibit password reuse for a minimum of five generations.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-264318CAT IIThe VMM must for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in ia-5 (1) (a).Virtual Machine Manager Security Requirements Guide V-264348CAT IIThe web server must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide