STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce 24 hours/1 day as the minimum password lifetime.

DISA Rule

SV-222544r508029_rule

Vulnerability Number

V-222544

Group Title

SRG-APP-000173

Rule Version

APSC-DV-001760

Severity

CAT II

CCI(s)

• CCI-000198 - The information system enforces minimum password lifetime restrictions.

Weight

10

Fix Recommendation

Configure the application to have a minimum password lifetime of 24 hours.

Check Contents

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.

Attempt to change the password more than once.

If a password can be changed more than once within 24 hours, the minimum lifetime setting is not set and this is a finding.

Vulnerability Number

V-222544

Documentable

False

Rule Version

APSC-DV-001760

Severity Override Guidance

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and create a test user account or logon to the system with a test account and access the functionality that provides password change capabilities.

Attempt to change the password more than once.

If a password can be changed more than once within 24 hours, the minimum lifetime setting is not set and this is a finding.

Check Content Reference

M

Target Key

4093

Comments