CMMC IA.2.078 - Enforce Password Complexity

CMMC IA.2.078 - Enforce Password Complexity

Requirement text: IA.2.078: Enforce a minimum password complexity and change of characters when
new passwords are created.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to single-factor authentication of individuals using passwords as
individual or group authenticators, and in a similar manner, when passwords are used as
part of multifactor authenticators. The number of changed characters refers to the number
of changes required with respect to the total number of positions in the current password.
To mitigate certain brute force attacks against passwords, organizations may also consider
salting passwords.

CMMC CLARIFICATION
Password complexity means using different types of characters as well as a specified number
of characters. These include numbers, lowercase and uppercase letters, and symbols. Define
the lowest level of password complexity required. Enforce this rule for all passwords.

Example
You are in charge of setting your organization’s password rules. Everyone must use a
combination of different types of characters for all new and changed passwords. Also, there
is an established number of minimum characters for each password. Characters include
numbers, lowercase and uppercase letters, and symbols. These rules help create hard-to-
guess passwords, which help to secure your network.

References
• NIST SP 800-171 Rev 1 3.5.7
• CIS Controls v7.1 4.2, 4.4
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• NIST SP 800-53 Rev 4 IA-5(1)
• UK NCSC Cyber Essentials

    • Related Articles

    • CMMC IA.2.079 - Prohibit Password Reuse

      Requirement text: IA.2.079: Prohibit password reuse for a specified number of generations. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Password lifetime restrictions do not apply to temporary passwords. CMMC CLARIFICATION Individuals may not ...

    • CMMC IA.2.080 - Limit Use of Temporary Password

      Requirement text: IA.2.080: Allow temporary password use for system logons with an immediate change to a permanent password. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Changing temporary passwords to permanent passwords immediately after system ...

    • Identification and Authentication: SP 800-171 Security Family 3.5

       For most systems, identification and authentication is often the first line of defense. Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. ...

    • CMMC IA.2.081 - Encrypt Passwords

      Requirement text: IA.2.081: Store and transmit only cryptographically-protected passwords. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See NIST ...

    • CMMC IA.3.084 - Employ Replay-Resistant Authentication

      Requirement text: IA.3.084: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Authentication processes resist replay attacks if it is ...