CMMC Level 2
Control 3.5.9
Allow Temporary Passwords for System Logons with Immediate Change
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Allow temporary password use for system logons with an immediate change to a permanent password.
What This Means in Plain English
When new accounts are created or passwords are reset, the temporary password must be changed at first login. This ensures that only the intended user knows the permanent password.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory 'User must change password at next logon' flag set on all new and reset accounts
- Temporary passwords generated with strong randomness and communicated securely
- Self-service password reset portal requiring immediate creation of a permanent password
- Microsoft Entra Temporary Access Pass (TAP) with configurable one-time use for initial setup
- ComplianceArmor tracking password reset events and confirming change completion
Assessment Guidance
Assessors will verify that new accounts require password change at first login, test the temporary password process, check that temporary passwords expire if not changed within a defined period, and review password reset procedures.
Common Implementation Gaps
- New accounts created without requiring password change at first logon
- Temporary passwords that do not expire
- Same temporary password used for all new accounts
- Temporary passwords communicated via insecure channels (plain text email)
- No verification that the intended user performed the password change
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-5(1) |
| PCI DSS | Req 8.2.6 - Set passwords for first-time use and reset to a unique value |
Need Help Implementing 3.5.9?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment