📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / IA

IA-5(1) Password-based Authentication

Family IA
Baselines moderate
Mapped KSIs 1

Control statement

For password-based authentication:
    (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;
    (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
    (c) Transmit passwords only over cryptographically-protected channels;
    (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
    (e) Require immediate selection of a new password upon account recovery;
    (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
    (g) Employ automated tools to assist the user in selecting strong password authenticators; and
    (h) Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}.
        Requirement: Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.
        (h) Requirement: For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.
        Guidance: Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-IAM-02Passwordless Authentication
Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA.
Identity and Access Management