STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce a 60-day maximum password lifetime restriction.

DISA Rule

SV-222545r508029_rule

Vulnerability Number

V-222545

Group Title

SRG-APP-000174

Rule Version

APSC-DV-001770

Severity

CAT II

CCI(s)

• CCI-000199 - The information system enforces maximum password lifetime restrictions.

Weight

10

Fix Recommendation

Configure the application to have a maximum password lifetime of 60 days.

Check Contents

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and view the user password settings page.

Review user password settings and validate the application is configured to expire and force a password change after 60 days.

If user passwords are not configured to expire after 60 days, or if the application does not have the ability to control this setting, this is a finding.

Vulnerability Number

V-222545

Documentable

False

Rule Version

APSC-DV-001770

Severity Override Guidance

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and view the user password settings page.

Review user password settings and validate the application is configured to expire and force a password change after 60 days.

If user passwords are not configured to expire after 60 days, or if the application does not have the ability to control this setting, this is a finding.

Check Content Reference

M

Target Key

4093

Comments