Back to Control Explorer

IA.2.078

Content

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

2

800-171 Control #

3.5.7

CMMC Description

Enforce a minimum password complexity and change of characters when new passwords are created.

CMMC Clarification

Password complexity means using different types of characters as well as a specified number of characters. These include numbers, lowercase and uppercase letters, and symbols. Define the lowest level of password complexity required. Enforce this rule for all passwords. Example You are in charge of setting your organization’s password rules. Everyone must use a combination of different types of characters for all new and changed passwords. Also, there is an established number of minimum characters for each password. Characters include numbers, lowercase and uppercase letters, and symbols. These rules help create hard-toguess passwords, which help to secure your network.

800-171 Description

Enforce a minimum password complexity and change of characters when new passwords are created.

800-171 Discussion

This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 4.2, 4.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-5(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.7

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

IA.2.078.[a] password complexity requirements are defined;

Assessment Sub-Criteria 2

IA.2.078.[b] password change of character requirements are defined;

Assessment Sub-Criteria 3

IA.2.078.[c] minimum password complexity requirements as defined are enforced when new passwords are created; and

Assessment Sub-Criteria 4

IA.2.078.[d] minimum password change of character requirements as defined are enforced when new passwords are created.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15