The new cybersecurity maturity model certification (CMMC) model does not mention specific password length, complexity, password history, or password renewal requirements. To play it safe we recommend that you adhere to the password recommendations from the Center for Internet Security (CIS).
Center for Internet Security (CIS) Password Recommendations
10 character minimum length
Password complexity: uppercase letters, lowercase letters, numbers, and symbols
Change passwords at least every 60 days
Prevent the reuse of the past 24 passwords
Set the minimum password age to one day (so that users can’t change their password 24 times to reuse their old password)
Set account login thresholds to 10 or fewer invalid login attempts. (Keep in mind that the fewer attempts you allow the more password related issues your users will have.)
Change default passwords on accounts when setting up new equipment.
If a user accesses several accounts, require them to use a separate password for each.
Do not allow the use of names, user account names, or other personal information in passwords.
Store all passwords using strong salting and hashing functions.
Do not store passwords using reversible encryption.
Train users to use separate passwords for work and personal accounts.
Finding the Right Balance
If you make your password requirements too stringent you will experience an increase in password “issues”. This means more password-related tickets and less productivity. If you have weak password requirements you are setting yourself up to be an easy target for attackers. Even NIST has eased its stance on password after research showed that too stringent password requirements negatively impact security.
When it comes to password requirements, find a middle ground that works best for your company's culture and the capabilities of your employees.
CMMC does not mention specific password length, complexity, or reset requirements. Your company should decide on them.
You can not go wrong with password recommendations from the Center for Internet Security.
C009: Identify and protect audit information
Before implementing password requirements, think about how they will impact security and productivity.
If you found this information useful and want to learn more about CMMC reach out to us at info[@]lakeridge.us
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.