IA.L2-3.5.9

IA.L2-3.5.9: Temporary Passwords

Establish temporary passwords and require a change upon first logon.

Temporary passwords prevent permanent passwords from being exposed during initial account provisioning. You create a temporary password, give it to the user, they log in, they’re forced to set their own password immediately. Their permanent password never travels through insecure channels.

This is usually configured in Active Directory with the “user must change password at next logon” flag. It’s straightforward if you have a documented process for it. The failure is usually “we just give them a password and they use it,” with no enforced change. This works alongside account provisioning processes covered in IA.L2-3.5.5 and password protections in IA.L2-3.5.10.

Family Identification and Authentication
Practice IA.L2-3.5.9
Difficulty Easy
Key evidence Account provisioning SOP, Group Policy configuration, example provisioning tickets

What the assessor is actually evaluating

The assessor is checking that you have a process for temporary passwords and that you enforce a password change on first logon. They want to know how temporary passwords are created and delivered. They want to see that you’re not sending passwords through email or chat. They want to see that accounts are configured to force a change immediately.

If you say “we generate a temporary password, set the account to require a change at next logon, and deliver it securely,” you’ve covered this practice. The details of “securely” matter. If you say “we email it,” that’s not secure. If you say “we deliver it via [secure method] or in person,” that’s fine.

What a realistic SSP definition looks like

Example SSP Language: IA.L2-3.5.9

Practice IA.L2-3.5.9: Temporary Passwords and Change on First Logon

When new user accounts are created, temporary passwords are issued and must be changed immediately upon first logon.

Account Provisioning Process:

When a new account is provisioned in Active Directory, the account creator generates a random temporary password. The password meets our complexity requirements (see IA.L2-3.5.7). The account is configured with the “user must change password at next logon” setting in Active Directory. This forces the user to set a permanent password before they can access any systems.

Temporary Password Delivery:

Temporary passwords are delivered securely. For employees on-site, passwords are delivered verbally or in person. For remote employees, temporary passwords are delivered through [secure method: encrypted email / secure password sharing portal / phone call / etc.]. Passwords are never sent via unencrypted email, chat, or text message.

Password Change Enforcement:

Upon first logon, Windows prompts the user to change their password. The user must enter the temporary password, then create a new permanent password meeting complexity requirements. This new password becomes the user’s permanent password for domain access.

Account Reset:

If a user forgets their password and requires a reset, the same temporary password procedure applies. A temporary password is issued, the account is configured to require a change at next logon, and the user is notified.

Service Account Exception:

Service accounts are not subject to this requirement due to their non-interactive nature. Service account passwords are generated, stored in a credential vault, and are changed only through administrative processes or scheduled rotation.

This is clear about the process, the delivery method, and the enforcement mechanism. The assessor reads this and doesn’t need to ask follow-up questions.

How to present your evidence

Evidence checklist
  • Account provisioning SOP or process document covering temporary password procedure
  • Group Policy or Active Directory configuration showing 'user must change password at next logon'
  • Example provisioning ticket documenting the process
  • Evidence of secure temporary password delivery method (not email/chat)

You need:

  1. Your account provisioning SOP. Document the process for creating accounts, including the temporary password procedure. One paragraph is fine.

  2. Group Policy or Active Directory configuration. Show that accounts are being created with “user must change password at next logon” enabled. You can show this in Active Directory Users and Computers by looking at a test account or a recently created account and showing the setting is checked.

  3. Example provisioning tickets. Find one or two recent new hire provisioning tickets that show how the account was set up. You don’t need to show the password itself, just show that the ticket references the provisioning process.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What's your process for temporary passwords?"
"We generate a temporary password for new accounts, set them to require a password change at next logon, and deliver the temporary password securely [method]. The user logs in, Windows forces them to change it immediately."
Q: "How is the temporary password delivered?"
State your method. "In-person for employees on-site. For remote employees, we use [method]." Whatever method you use, it should be secure. "Email" is weak. "Encrypted email" or "secure portal" or "phone" is better.
Q: "Can you show me an example of an account that requires a password change?"
Pull up Active Directory Users and Computers. Find a recently created account and open its properties. "Here's a new account. You can see 'User must change password at next logon' is checked. When this user logs in, they'll be forced to set their own password."

Common failures

No documented process for temporary passwords. You do it, but there's no written procedure. When the assessor asks how you handle new accounts, you can't point to a process document.
Temporary passwords are sent via email or unencrypted channels. Email is not secure. If you're doing this, change it. Use encrypted email, a secure portal, phone, or in-person delivery.
"User must change password at next logon" is not configured. You issue temporary passwords but don't enforce a change. Users can keep the temporary password. That defeats the purpose.
You have a documented process and accounts are visibly configured to force a password change. Provisioning SOP describes temporary passwords. Active Directory shows "user must change password at next logon" enabled on new accounts.
Temporary passwords are delivered securely and the change is enforced. Assessor can see the full workflow from creation through forced change.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP or MSSP

Your MSSP should be provisioning accounts with this setting enabled automatically. When they create a new account, “user must change password at next logon” should be checked by default. If it’s not, ask them why.

Your MSSP should also have a process for delivering temporary passwords. If they’re emailing them, push back. Have them deliver them securely or let you handle delivery if you prefer.

In the assessment, your MSSP can describe the provisioning process and show examples. The contractor can speak to the delivery method if needed.

Ask your MSSP: "When you provision new accounts, what's your process for temporary passwords?" They should say something like "we create the account with 'must change at next logon' enabled and deliver the temporary password [method]." If they don't have a clear answer, get them to document it.

This guidance is based on assessment room experience and reflects one practitioner’s interpretation of CMMC Level 2 requirements. It is not legal or compliance advice. Always consult your compliance team and official CMMC documentation for final guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IA.L2-3.5.10: Cryptographically-Protected Passwords All Practices IA.L2-3.5.8: Password Reuse →