Identification and Authentication 3.5.9 (3.5.9)

Allow temporary password use for system logons with an immediate change to a permanent password.

Get Full Guidance

What Is This CMMC Control?

Organizations must ensure that when temporary passwords are issued (such as for new accounts or password resets), users are forced to change them to permanent passwords immediately upon first login. This prevents weak or known temporary credentials from remaining active longer than necessary.

Control Intent

To minimize the window of vulnerability created by temporary passwords by ensuring they are replaced with strong, permanent passwords at the earliest opportunity.

Who This Control Applies To

  • All systems that issue temporary passwords for initial access or password resets
  • Identity and access management systems
  • Authentication systems and directories (Active Directory, LDAP, cloud identity providers)
  • Applications that manage their own user authentication
  • Systems accessible by employees, contractors, and other authorized users

Not Applicable When

  • Systems that never issue temporary passwords (all passwords are user-created from the start)
  • Systems using only certificate-based or hardware token authentication without password components
  • Fully automated service accounts that never require interactive logon
  • Systems where password resets always occur through secure self-service portals that enforce immediate change

Key Objectives

  • 1Ensure temporary passwords are replaced immediately upon first system logon.
  • 2Reduce the time window during which weak or known temporary credentials can be exploited.
  • 3Enforce authentication strength requirements as soon as users gain initial access.

Sample Self-Assessment Questions (Partial)

Does your organization ever issue temporary passwords to users for initial access or password resets?

What systems or applications currently issue temporary passwords?

Implementation Approaches (High-Level)

Active Directory Group Policy Enforcement

Configure Active Directory to mark passwords as expired or require change at next logon when temporary passwords are issued.

Azure Active Directory Password Reset Policy

Configure Azure AD to require password change on first sign-in for new users or after administrative password reset.

Application-Level Password Change Enforcement

Configure individual applications to require password change upon first login with temporary credentials.

Identity Provider (IdP) Forced Password Change

Configure centralized identity providers (Okta, Ping, OneLogin, etc.) to enforce immediate password change for temporary credentials.

Privileged Access Management (PAM) Temporary Credential Enforcement

Configure PAM solutions to enforce immediate password change for temporary privileged credentials.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If temporary password enforcement is not currently implemented, prioritize systems that handle CUI or provide privileged access Implement centralized enforcement first (Active Directory, Azure AD, IdP) to cover the broadest scope quickly For systems that cannot technically enforce immediate password change, document compensating controls such as very short temporary password validity periods (1-2 hours maximum) If legacy systems lack this capability, consider implementing a manual verification process where help desk confirms password change before granting full access Document any systems where immediate enforcement is not possible and include remediation timeline in POA&M Ensure POA&M includes specific technical implementation steps, not just policy updates Include testing and validation steps in POA&M to verify enforcement is working across all systems Consider phased implementation starting with highest-risk user populations (administrators, CUI access) Address monitoring and auditing gaps in POA&M to ensure ongoing compliance verification

Related CMMC Controls

3.5.13.5.23.5.73.5.83.5.103.5.11

Frequently Asked Questions

What qualifies as a 'temporary password' under this control?

A temporary password is any credential issued by an administrator or system for initial access or password reset, rather than being created directly by the user. This includes passwords provided during account creation, after password resets, for new employee onboarding, or when users are locked out. The key characteristic is that the password is known to someone other than the end user before first use.

Can users log in multiple times with a temporary password, or must it be changed on the very first login attempt?

The control requires that temporary passwords be changed immediately upon first system logon. Users should not be able to log in, log out, and log back in with the same temporary password. The enforcement mechanism must prevent any access to system resources until the password is changed, and the change must occur during that first login session.

Does this control apply to service accounts or only interactive user accounts?

While the control text focuses on 'system logons' which typically implies interactive access, best practice is to avoid issuing temporary passwords to service accounts entirely. Service accounts should use strong, permanent credentials from creation, or preferably use certificate-based or managed identity authentication. If temporary credentials must be used for service accounts, they should be changed immediately through automated processes.

What should we do if a legacy system cannot technically enforce immediate password change?

If a system cannot enforce immediate password change, you should implement compensating controls and document them clearly. Compensating controls might include: extremely short temporary password validity periods (1-2 hours maximum), manual verification by help desk that password was changed before granting access, or restricting temporary password use to low-risk systems only. These compensating controls should be documented in a POA&M with a plan to upgrade or replace the system.

How do we handle situations where users cannot complete the password change process due to technical issues?

Your procedures should include a process for handling failed password change attempts. This might involve help desk intervention to verify the user's identity and issue a new temporary password, or providing alternative secure methods for password reset. The key is that the original temporary password should be invalidated and a new one issued, with the same immediate change requirement. Document these exception handling procedures as part of your overall password management process.

Does the new permanent password need to be different from the temporary password?

Yes, the new permanent password must be different from the temporary password. This is typically enforced through password history settings that prevent reuse of recent passwords. Configure your authentication systems to maintain password history (at least 1 previous password) and set a minimum password age to prevent users from immediately changing back to the temporary password. This ensures the temporary credential is truly replaced with a new, user-created password.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.