03.05.12 — (a) Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution. (b) Establish initial authenticator content for any authenticators issued by the organization. (c) Establish and implement administrative procedures for initial authenticator distribution; for lost, compromised, or damaged authenticators; and for revoking authenticators. (d) Change default authenticators at first use. (e) Change or refresh authenticators {{ insert: param, A.03.05.12.ODP.01 }} or when the following events occur: {{ insert: param, A.03.05.12.ODP.02 }}. (f) Protect authenticator content from unauthorized disclosure and modification.

What this control requires

(a) Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution. (b) Establish initial authenticator content for any authenticators issued by the organization. (c) Establish and implement administrative procedures for initial authenticator distribution; for lost, compromised, or damaged authenticators; and for revoking authenticators. (d) Change default authenticators at first use. (e) Change or refresh authenticators {{ insert: param, A.03.05.12.ODP.01 }} or when the following events occur: {{ insert: param, A.03.05.12.ODP.02 }}. (f) Protect authenticator content from unauthorized disclosure and modification.

Source: NIST SP 800-171 R3 §03.05.12 (official control text).

Why this matters

Authenticators — passwords, security keys, badges, certificates — are the keys to your kingdom. Poor authenticator management creates entry points for attackers through stolen, shared, leaked, or default credentials. This control enforces that authenticators are distributed securely to verified recipients, never left in default states, refreshed when compromised or aging, and protected throughout their lifecycle. Weak authenticator management is implicated in the majority of data breaches — attackers exploit unchanged defaults, stolen credentials, and unrevoked access. Strong practices prevent unauthorized parties from obtaining valid credentials and ensure legitimate users maintain secure, current authentication material.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.