IA.L2-3.5.9 — Allow temporary password use for system logons with an immediate change to a permanent password.

What this control requires

Allow temporary password use for system logons with an immediate change to a permanent password.

Source: CMMC L2 v2.13 IA.L2-3.5.9 / NIST SP 800-171 R2 3.5.9 (official control text).

Why this matters

Temporary passwords are inherently vulnerable because they're often transmitted insecurely, stored in less-protected channels, or shared verbally. This control closes the window of opportunity for credential theft by forcing users to replace any temporary credential with a strong, privately-known password the instant they first authenticate. Without this enforcement, temporary passwords can remain active for days or weeks, giving attackers time to intercept and abuse them. Immediate forced password change transforms a high-risk provisional credential into a properly secured permanent one, ensuring authentication strength is established before any system access occurs.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls