Most likely, it's part of security/compliance protocol (FedRAM) when the portal was setting up. This is obviously overkill for webboard, and we are reviewing if we really need this webboard and some other components in high security/compliance framework.
Thanks. That makes sense. As an aside, it is kind of funny if FedRAMP requires this since the NIST itself recommends against requiring password cycling (See section 10.2.1 "Memorized Secrets" from https://pages.nist.gov/800-63-3/sp800-63b.html : "Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.")
Comments
2 comments
Most likely, it's part of security/compliance protocol (FedRAM) when the portal was setting up. This is obviously overkill for webboard, and we are reviewing if we really need this webboard and some other components in high security/compliance framework.
Thanks. That makes sense. As an aside, it is kind of funny if FedRAMP requires this since the NIST itself recommends against requiring password cycling (See section 10.2.1 "Memorized Secrets" from https://pages.nist.gov/800-63-3/sp800-63b.html : "Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.")
Please sign in to leave a comment.