Level 5 CMMC - CMMC Practices

IA.2.078  

Reference: CMMC 1.02

Family: IA

Level Introduced: 2

Practice:
Enforce a minimum password complexity and change of characters when new passwords are created.

CMMC Clarification:
Password complexity means using different types of characters as well as a specified number of characters. These include numbers, lowercase and uppercase letters, and symbols. Define the lowest level of password complexity required. Enforce this rule for all passwords.

Example
You are in charge of setting your organization’s password rules. Everyone must use a combination of different types of characters for all new and changed passwords. Also, there is an established number of minimum characters for each password. Characters include numbers, lowercase and uppercase letters, and symbols. These rules help create hard-to- guess passwords, which help to secure your network.

3.5.7

Enforce a minimum password complexity and change of characters when new passwords are created.

Discussion:
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

Source: NIST Special Publication 800-171 Rev. 2

IA-5 (1)

AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION

Description:
The information system, for password-based authentication:
    (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
    (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
    (c) Stores and transmits only cryptographically-protected passwords;
    (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
    (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
    (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Supplemental Guidance:
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02