Security Build Overview - Applicants

The Security Build is an update to the Grants.gov system to comply with the National Institute of Standards and Technology (NIST) security standards. The changes for the build will be available on October 11, 2010. Applicants will experience a number of system changes that include updates to passwords and logins, including:

  • New password requirements.
  • 60-day password expiration.
  • New change password option
  • Enhancements to "I Forgot My Password".
  • Account lockout for incorrect passwords.
  • User roles removed after one (1) year of inactivity
  • Updates to the user profile.
PLEASE NOTE:
These updates will not apply to System-to-System accounts.  For Funding Opportunities posted prior to October 11, 2010 with due dates after October 11, 2010: Users may experience invalid user name and password messages when attempting to submit application packages. These users will be asked to reset their password using the "Password Reset" functionality.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, recommended Security Controls for Federal Information Systems. The items listed below will be included in the Security Build on October 11, 2010.

The items below explain the changes to the system and what to expect once the security build is in place.

  1. New Password Requirements

    When an applicant (Authorized Organization Representative (AOR) or Individual) changes a password in the Grants.gov system, the password will have to comply with the following requirements:

    • Cannot be the same as the previous six (6) passwords.
    • Must contain at least eight (8) characters.
    • Must contain at least one (1) number.
    • Must contain at least one (1) uppercase letter.
    • Must contain one (1) lower case letter.
    • Must contain one (1) special character.

    What to expect:
    When an applicant changes a password, prompts will be displayed with instructions to comply with the new password requirements.

  2. Passwords Expire In 60 Days

    All passwords starting the day of implementation will expire in 60 days.

    Going forward all passwords will expire every 60 days. For example, if a password is changed today, today is considered as day one (1). This password will be valid for 60 calendar days and will not be valid on the 61st day or onward.

    Without a valid password, an applicant will not be able to login to Grants.gov and submit an application.

    What to expect:
    Applicant Center Login

    • Applicants who successfully log in to Grants.gov will see a password expiration warning message, beginning 15 days before expiration. Grants.gov will display a countdown message of the number of days until the password expires when the users log in or until the password is changed.
    • No users with an expired password will be able to log in using the browser. Users can change the password by using the "Change My Password" button on the login page. If the user is successful in changing the password, then the user will be able to log in.

    Application Submission

    • Applicants will not be able to submit their application if a password has expired.
      • Applicants will receive an error message with instructions to change the password. After changing the password, applicants can submit the application immediately.

    Password Expiration Email Notification

    • All users will receive two (2) email notifications before passwords expire.
      • The first email notification will be sent 15 days before the password expires.
      • The second email notification will be sent five (5) days before the password expires.
  3. New Change Password Option
    Applicants will be able to change a password at any time by entering their current password and entering a new password twice correctly. The change password option will be provided on the applicant login page and within the Applicant Center.

    What to expect:
    When applicants receive the email notification that their password will expire, they can use the Change My Password functionality to avoid password expiration.

  4. Enhancements To "I Forgot My Password"
    Currently, the only way to retrieve a forgotten password is to answer the security question. If an applicant forgets the answer to the security question a new option will be available on the "I Forgot My Password/Unlock My Account" page. The new option allows applicants to request a system generated password through an email message. The system will send the email to the address in the user's profile.

    What to expect:
    Applicants will receive the system generated password. The password will not expire for 60 days.

  5. Account Lockout For Incorrect Passwords
    The applicant's account will lock for 15 minutes if the user provides the wrong password three (3) consecutive times within a five (5) minute period.

    What to expect:
    Applicant Center Login

    • Once an applicant is locked out, the applicant will not be able to login through the browser for 15 minutes.
      • After 15 minutes with no attempts to log in, the applicant can log in to the system with the correct password.
      • Applicants who don't know the correct password can unlock an account within 15 minutes by using the "I Forgot My Password/Unlock My Account" option, or by requesting a system-generated password.

    Applications

    • Applicants will not be able to submit their applications during the lockout period (15 minutes).
      • Applicants can unlock an account by using the "I Forgot My Password/Unlock My Account" option by entering their correct username and password during the 15 minute period, or by requesting a system generated password and then submitting the application.
      • The applicant can also wait for 15 minutes and then, by logging in with a correct password, submit the application.
  6. Changes To "Manage My Profile"
    User profile updates for applicants include two types of fields, those that can be updated and not updated.

    What to expect:
    For applicant users, the following fields cannot be updated on the "Manage My Profile" page:

    • Username
    • DUNS.

    The following fields can be updated the "Manage My Profile" page:

    • First Name
    • MI
    • Last Name
    • Job Title
    • Telephone
    • Email
    • Secret Question
    • Secret Answer
  7. User Roles Removal After One (1) Year Of No Activity
    Accounts that are inactive for one (1) calendar year will be deactivated. An inactive account is defined as having no login activity for one (1) year.

    What to expect for an AOR:
    Once the account is inactive, the role for AORs will be removed and the applicant will not be able to log in or apply for grant opportunities. To reactivate an account, the applicant must change the password. The AOR will not be able to submit applications until the E-Biz POC reassigns the applicant as an AOR.

    If the 60-day expiration notifications are ignored and there is no account activity, an email notification will be sent to the applicant every week for four (4) weeks prior to account deactivation and role removal. The username will be included in the email notifications as well as a link to update the password.

    What to expect for an Individual:
    Once the account is inactive the Individual applicant will need to change their password to reactivate their account.

    If the 60-day expiration notifications are ignored and there is no account activity, an email notification will be sent to the applicant every week for four (4) weeks prior to account deactivation. The username will be included in the email notifications as well as a link to update the password.