Identity Management and Authentication

The institution shall identify system users, processes acting on behalf of users, and devices.

The institution shall authenticate (or verify) the identities of users, processes, or devices as a prerequisite to allowing access to institutional systems.

The institution shall enforce a minimum password complexity and change of characters when new passwords are created.

The institution shall allow temporary password to use for system logons with an immediate change to a permanent password.