Individuals and devices accessing Agency-owned enterprise information resources over an active session shall re-authenticate the primary authenticator against the enterprise directory at least daily. Workstations not connected to a domain controller shall require the user to re-authenticate every 14 days. The second factor of a two-factor authenticator shall be re-authenticated at least every 30 days.
Authentication may become stale, allowing a no longer authenticated user access
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
Organization may require re-authentication of individuals and/or devices:
a. when authenticators change;
b. when roles change;
c. when security categories of information systems change;
d. when the execution of privileged functions occurs;
e. after a fixed period of time; or
f. periodically.