Security Build Overview - E-Business Point of Contacts (E-Biz POC)

The Security Build is an update to the Grants.gov system to comply with the National Institute of Standards (NIST) security standards. The changes for the build will be available on October 11, 2010. These updates will not apply to System-to-System accounts. E-Biz POCs will experience a number of system changes that include updates to passwords and logins, including:

  1. Applicant Center shortcut to E-Biz POC functionality
  2. E-Biz POC login update
  3. New password requirements
  4. 60-day password expiration
  5. New change password option
  6. New "I Forgot My Password/Unlock My Account"
  7. Account lockout for incorrect passwords.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, recommended Security Controls for Federal Information Systems. The items listed below will be included in the Security Build on October 11, 2010.

This items belwo explain the changes to the system and what to expect once the security build is in place.

  1. Applicant Center Shortcut To Enable E-Business Point Of Contact (E-Biz POC) Functionality

    An option will be available to the AOR to request E-Biz POC authorization once the AOR is logged into the Applicant Center. A prompt will be displayed for an MPIN the first time E-Biz POC functionality is selected. A valid MPIN must be entered at every session in order to be granted E-Biz POC authorization. Once a valid MPIN is entered the AOR can act as the E-Biz POC and perform the following functions:

    • Issue AOR role(s)
    • Revoke AOR role(s)
    • View all submissions for the organization's DUNS
    • Deactivate AOR account(s)
    • Revoke E-Biz POC role assigned to other AOR accounts.

    If the AOR enters the correct MPIN at the Applicant Center, the AOR will begin to receive E-Biz POC email notification when a new AOR registers under the organization's Data Universal Number System (DUNS). If the AOR does not enter the correct MPIN the AOR will not receive E-Biz POC email notifications until they enter a valid MPIN.

  2. E-Business Point Of Contact (E-Biz POC) Account Login Update
    When an existing E-Biz POC goes to log in for the first time after the Security Build is released, the E-Biz POC will enter the DUNS and for the Password field, enter MPIN. The system will immediately request the E-Biz POC to change the password and comply with the password complexity rules (see "3. New Password Requirements" for details).

    Once this security control is implemented, when a new E-Biz POC account is established, a system-generated password will be sent in an email to be used to log in to the account. The new password will be sent to the SAM email address on file with Grants.gov.

  3. New Password Requirements

    When an E-Biz POC changes a password in the Grants.gov system, the password will have to comply with the following requirements:

    • Cannot be the same as the previous six (6) passwords.
    • Must contain at least eight (8) characters.
    • Must contain at least one (1) number.
    • Must contain at least one (1) uppercase letter.
    • Must contain one (1) lower case letter.
    • Must contain one (1) special character.

    What to expect:
    When an E-Biz POC changes a password, prompts will be displayed with instructions to comply with the new password requirements.

  4. Passwords Expire In 60 Days

    A 60-day password expiration policy for accounts will be implemented.

    Going forward all passwords will expire every 60 days. For example, if a password is changed today, it is considered as day one (1). This password will be valid for 60 calendar days and will not be valid on the 61st day onward.

    Without a valid password, an E-Biz POC will not be able to log in to Grants.gov and approve AORs or check the application status of the organization.

    What to expect for E-Biz POC Center Login:

    E-Biz POCs who successfully log in to Grants.gov will see a password expiration warning message, beginning 15 days before expiration. Grants.gov will display a countdown message of the number of days until the password expires when the users log in or until the password is changed. No users with an expired password will be able to log in using the browser. Users can change the password by using the "Change My Password" button on the login page. If the user is successful in changing the password, then the user will be able to log in.

    Password Expiration Email Notification

    • All users will receive two (2) email notifications before passwords expire.
      • The first email notification will be sent 15 days before the password expires.
      • The second email notification will be sent five (5) days before the password expires.
  5. New Change Password Option
    E-Biz POCs will be able to change a password at any time by entering their current password and entering a new password twice correctly. The change password option will be provided on the E-Biz POC login page and the E-Biz POC center.

    What to expect:
    When E-Biz POCs receive the email notification that their password will expire they can use the Change My Password functionality to avoid password expiration.

  6. New "I Forgot My Password/Unlock My Account" For E-Biz POC
    The new option allows E-Biz POCs to request a system-generated password through an email message. The system will send the email to the address in the user's profile.

    What to expect:
    E-Biz POCs will receive the system-generated password. The password will not expire for 60 days.

  7. Account Lockout For Incorrect Passwords
    The E-Biz POC's account will lock for 15 minutes if the user provides an incorrect password three (3) consecutive times within a five (5) minute period.

    Once an E-Biz POC is locked out, the E-Biz POC will not be able to login through the browser for 15 minutes.

    • After 15 minutes with no attempts to log in, the E-Biz POC can log in to the system with the correct password.
    • E-Biz POCs who don't know the correct password can unlock an account within 15 minutes by using the "I Forgot My Password/Unlock My Account" optionto request a system-generated password.