Common use of Interoperable System User Accounts and Passwords Clause in Contracts

Interoperable System User Accounts and Passwords. All users must have a discrete user account ID which cannot be the user's social security number. To protect against unauthorized access, passwords linked to the user ID are used to identify and authenticate authorized users. • Accounts and passwords shall not be transferred or shared. The sharing of both a user ID and associated password with anyone (including administrators) is prohibited. • Accounts and passwords shall be protected from disclosure and writing passwords down or electronically storing them on a medium that is accessible by others is prohibited. • The selection of passwords must be complex and shall: o Be at least eight characters in length o Contain a combination of alphabetic, numeric and special characters o Not the same as any of the user's previous 8 passwords. • Passwords shall not contain any dictionary word. • Passwords shall not contain any proper noun or the name of any person, pet, child, or fictional character. Passwords shall not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password. • Passwords shall not contain any simple pattern of letters or numbers, such as “qwerty” or “xyz123”. • Passwords shall not be any word, noun, or name spelled backwards or with a single digit appended, or with a two-digit “year” string, such as 98xyz123. • Pass phrases, if used in addition to or instead of passwords, should follow the same guidelines. • Passwords shall not be the same as the User ID. • Users shall either log off or lock their workstations when unattended. • Workstations shall be configured to either log off, or activate a password-protected lock, or password- protected screensaver within fifteen (15) minutes of user inactivity. • Locked sessions shall remain locked until the user re-authenticates. • Workstations shall be protected from theft. • A user's account shall be automatically locked after three consecutive failed logon attempts. • The automatic lockout period for accounts locked due to failed login attempts shall be set for a minimum of twenty (20) minutes. • A process shall exist for manually unlocking accounts prior to the expiration of the twenty (20) minute period, after sufficient user identification is established. • Sessions shall automatically be terminated after sixty (60) minutes of inactivity. • Users are required to change their passwords at least once every 90 days. • Passwords must be promptly changed whenever a compromise of a password is known or suspected.

Interoperable System User Accounts and Passwords. All users must have a discrete user account ID which cannot be the user's ’s social security number. To protect against unauthorized access, passwords linked to the user ID are used to identify and authenticate authorized users. • Accounts and passwords shall not be transferred or shared. The sharing of both a user ID and associated password with anyone (including administrators) is prohibited. • Accounts and passwords shall be protected from disclosure and writing passwords down or electronically storing them on a medium that is accessible by others is prohibited. • The selection of passwords must be complex and shall: o Be at least eight characters in length o Contain a combination of alphabetic, numeric and special characters o Not the same as any of the user's ’s previous 8 passwords. • Passwords shall not contain any dictionary word. • Passwords shall not contain any proper noun or the name of any person, pet, child, or fictional character. Passwords shall not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password. • Passwords shall not contain any simple pattern of letters or numbers, such as “qwerty” or “xyz123”. • Passwords shall not be any word, noun, or name spelled backwards or with a single digit appended, or with a two-digit “year” string, such as 98xyz123. • Pass phrases, if used in addition to or instead of passwords, should follow the same guidelines. • Passwords shall not be the same as the User ID. • Users shall either log off or lock their workstations when unattended. • Workstations shall be configured to either log off, or activate a password-protected lock, or password- protected screensaver within fifteen (15) minutes of user inactivity. • Locked sessions shall remain locked until the user re-authenticates. • Workstations shall be protected from theft. • A user's ’s account shall be automatically locked after three consecutive failed logon attempts. • The automatic lockout period for accounts locked due to failed login attempts shall be set for a minimum of twenty (20) minutes. • A process shall exist for manually unlocking accounts prior to the expiration of the twenty (20) minute period, after sufficient user identification is established. • Sessions shall automatically be terminated after sixty (60) minutes of inactivity. • Users are required to change their passwords at least once every 90 days. • Passwords must be promptly changed whenever a compromise of a password is known or suspected.