CMMC Practice IA.L2-3.5.9

Allow temporary password use for system logons with an immediate change to a permanent password.

Bold Coast Security Guidance

All users must change their initial password when they first sign in. Be sure to follow this practice for all application and system accounts, not just user network accounts. As mentioned in practice IA.2.080, we strongly suggest you do NOT use the same temporary password when creating new accounts. It creates an unnecessary vulnerability.

Discussion From Source

DRAFT NIST SP 800-171 R2 Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.

References