CIS-6.3 / IA-5 / A.9.4.3 CIS Controls v8

Password manager provided to all staff

Demonstrate that all staff have been provisioned with a password manager solution, are trained on its use, and actively utilize it for credential management in accordance with organizational policy.

Description

What this control does

This control requires the organization to procure, deploy, and maintain a password manager solution for all staff members to securely generate, store, and retrieve credentials. The password manager should enforce strong, unique passwords for each service or application, eliminating the need for users to memorize or reuse weak passwords. By centralizing credential management with encryption at rest and in transit, this control reduces the risk of credential theft, phishing success, and password-related breaches.

Control objective

What auditing this proves

Demonstrate that all staff have been provisioned with a password manager solution, are trained on its use, and actively utilize it for credential management in accordance with organizational policy.

Associated risks

Risks this control addresses

Credential reuse across multiple systems enabling lateral movement after a single compromise
Weak or easily guessable passwords chosen by users to aid memorization
Credentials stored in plaintext documents, spreadsheets, browser autofill, or sticky notes vulnerable to theft or exposure
Successful phishing attacks resulting in credential disclosure due to lack of autofill domain verification
Credential compromise via shoulder surfing or social engineering when passwords are manually typed or visible
Inability to enforce password complexity and rotation policies without centralized tooling
Loss of access to critical systems when employees forget credentials and no secure recovery mechanism exists

Testing procedure

How an auditor verifies this control

Obtain a current roster of all active staff members including employees, contractors, and privileged users.
Request and review the password manager procurement records, licensing agreements, and deployment timeline documentation.
Obtain the password manager deployment policy including provisioning procedures, user onboarding steps, and acceptable use guidelines.
Review training materials and attendance records confirming all staff received password manager onboarding and usage training.
Access the password manager administrative console and export a list of all provisioned user accounts with activation status and last login dates.
Select a random sample of 15-25 staff members across departments and verify each has an active, licensed password manager account.
Interview 5-8 sampled users to confirm they have installed the password manager client, completed initial setup, and actively use it for work-related credentials.
Review helpdesk tickets or support logs related to password manager issues to assess adoption barriers and remediation efforts.

Evidence required Collect the complete user provisioning report from the password manager administrative console showing all active accounts, activation dates, and last access timestamps. Obtain copies of the password manager deployment policy, training completion records with attendee names and dates, and procurement or licensing documentation proving coverage for all staff. Capture screenshots of the administrative dashboard showing total provisioned licenses versus active users, and retain interview notes or survey responses from sampled staff confirming active usage.

Pass criteria All current staff members possess an active, licensed password manager account with evidence of initial activation, training completion records exist for all users, and sampled interviews confirm active utilization for credential management.

Where this control is tested

Audit programs including this control

Password Policy Quick Audit

Check your password rules against modern NIST guidance — length, rotation, complexity, password manager use.