Identify information system users, processes acting on behalf of users, or devices.

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Enforce a minimum password complexity and change of characters when new passwords are created.

Prohibit password reuse for a specified number of generations.

Allow temporary password use for system logons with an immediate change to a permanent password.

Store and transmit only cryptographically protected passwords.

Obscure feedback of authentication information.

Use multi-factor authentication for local and network access to privileged accounts and for network access to nonprivileged accounts.

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Prevent the reuse of identifiers for a defined period.

Disable identifiers after a defined period of inactivity.