NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(5)Change Authenticators Prior to Delivery

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Changing authenticators prior to the delivery and installation of system components extends the requirement for organizations to change default authenticators upon system installation by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to developers of commercial off-the-shelf information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring systems or system components.

Practitioner Notes

This enhancement requires changing default authenticators before or during system installation — default passwords on devices and software must be changed immediately.

Example 1: Before deploying any new network device (router, switch, firewall), change all default passwords and community strings as part of your standard build checklist.

Example 2: Include a step in your server deployment runbook to change default administrator passwords and disable default accounts before connecting the system to the network.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts