Identification and Authentication

3.2.1.1

The COE Platform implementation shall enforce individual accountability by providing the capability to uniquely identify each user to the system.

3.2.1.1.1

The COE Platform implementation shall require users to uniquely identify themselves before beginning to perform any actions that the system is expected to mediate.

This criteria is satisfied by the implementation if the requirement is met prior to loading Government-supplied software.

3.2.1.1.2

The COE Platform implementation shall require users to login prior to assuming a trusted profile (for example, system administrator, security officer, root user, and superuser).

3.2.1.2

Each user shall be uniquely identifiable (for example, user name or user ID) within an administrative domain.

This criteria is satisfied by the implementation if the requirement is met prior to loading Government-supplied software.

3.2.1.2.1

The COE Platform implementation shall uniquely identify each user for an entire enterprise.

This criteria is satisfied by the implementation if the requirement is met prior to loading Government-supplied software.

3.2.1.3

The COE Platform implementation shall provide the capability of associating the user's identity with all auditable actions taken by that individual.

3.2.1.4

The COE Platform implementation shall provide the following mechanism(s) to authenticate each user's identity:

3.2.1.4.1

The COE Platform implementation shall provide the capability to authenticate each user's identity with a password. Passwords shall meet the following requirements:

3.2.1.4.1.1

3.2.1.4.1.1.1

The COE Platform implementation shall provide a graphical user interface (GUI) for changing passwords.

3.2.1.4.1.1.2

The COE Platform implementation shall require a password be changed after the age of a password has exceeded a maximum of n days where n is configurable by a trusted user.

3.2.1.4.1.1.2.1

The default maximum days shall be 91.

3.2.1.4.1.1.3

The COE Platform implementation shall provide the capability to notify the user n days prior to password expiration where n is defined by a trusted user.

3.2.1.4.1.1.3.1

The COE Platform implementation shall default to notifying the user seven (7) days prior to password expiration.

3.2.1.4.1.1.4

The COE Platform implementation shall prohibit a password from being changed until the age of a password has exceeded a minimum of n days where n is defined by a trusted user.

3.2.1.4.1.1.4.1

The default minimum before a password can be changed shall be seven (7) days.

3.2.1.4.1.2

The COE Platform implementation shall permit a trusted user to override minimum password age limits when changing passwords.

3.2.1.4.1.4

The COE Platform implementation shall permit only trusted users to change passwords other than their own.

3.2.1.4.1.5

The COE Platform implementation shall provide the capability to require users to change a password during the initial use of a password created by trusted users.

3.2.1.4.1.7

The COE Platform implementation shall ensure that passwords feature specific characteristics configurable by a trusted user. The following characteristics shall be included:

3.2.1.4.1.7.1

Minimum password length

3.2.1.4.1.7.1.1

The default minimum password length shall be set to eight (8) characters.

A waiver of the requirement will be granted for six (6) character passwords if requested. Note that a note regarding this waiver will appear on the certificate.

3.2.1.4.1.7.2

Password character set (for example, alphanumeric plus special American National Standard Code for Information Interchange [ASCII] characters).

3.2.1.4.1.7.3

Password includes at least one numeric, case change, or special character (for example, 0-9, &, %).

3.2.1.4.1.8

The COE Platform implementation shall provide the capability to prohibit the following passwords:

3.2.1.4.1.8.2

Use of a user name within a password.

A waiver of the requirement will be granted if requested. Note that a note regarding this waiver will appear on the certificate.

3.2.1.4.5

The COE Platform implementation shall provide the capability where upon success user login the following information is displayed: the date and time of the last successful login and the number of unsuccessful login attempts since the last successful login.

This requirement is satisfied if the supplier provides a utility to output this information. In many implementations, the historical last command will satisfy the requirement. The capability must be present, but need not be implemented in the GUI login process.

3.2.1.4.5.1

The COE Platform implementation shall provide a trusted user with the capability to enable or disable display of the last successful login date and time and the number of unsuccessful login attempts.

3.2.1.5

The COE Platform implementation shall prevent unauthorized access to authentication data.

3.2.1.5.1

The COE Platform implementation shall prevent unauthorized disclosure of passwords during transmission across a network.

The GOTS APM software uses the Diffie-Hellman algorithm for encrypting network traffic within the administrative domain.

3.2.1.5.2

The COE Platform implementation shall prevent unauthorized disclosure of passwords while stored.

3.2.1.6

The COE Platform implementation shall provide the capability to limit invalid login attempts which are indicative of potential login attacks.

3.2.1.6.1

If the number of consecutive invalid login attempts for a single user ID reaches a threshold n, where n is configurable by a trusted user, the user ID shall be locked and will remain locked during all further login attempts with that user ID from within the administrative domain.

3.2.1.6.2

The COE Platform implementation shall be configurable by a trusted user to provide the capability to set the default number of consecutive login failures.

3.2.1.6.2.1

The default number of consecutive login failures shall be three (3).

3.2.1.6.3

The COE Platform implementation shall provide the capability for a trusted user, and only a trusted user, to disable the consecutive login failure functionality.

3.2.1.6.4

When a user ID is locked, the COE Platform implementation shall provide the capability to send a notification to a trusted user.

3.2.1.6.5

The COE Platform implementation shall provide the capability for a trusted user to restore locked user IDs.

This criteria is satisfied by the implementation if the requirement is met prior to loading Government-supplied software.

3.2.1.6.6

The COE Platform implementation shall perform login failure lockout for all login points (for example, console, remote login) in the administrative domain.

3.2.1.6.6.1

The COE Platform implementation shall perform login failure lockout for all login points (for example, console, remote login) in the enterprise.