CMMC 2.0 • LEVEL 1 • IDENTIFICATION & AUTHENTICATION

IA.L1-3.5.7 — Password Management

Maintain a list of commonly-used, expected, or compromised passwords, and update the list 15 characters minimumCMMC/STIG and when organizational passwords are suspected to have been compromised. Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords. Transmit passwords only over cryptographically protected channels. Store passwords in a cryptographically protected form. Select a new password upon first use after account recovery. Enforce the following composition and complexity rules for passwords: characters from at least 3 of 4 categories (uppercase, lowercase, numbers, special characters); no dictionary words; 24-password history enforced; maximum 60-day password ageCMMC/STIG.

NIST 800-171 Mapping

3.5.7

NIST 800-53 Controls

IA-5(1)

Assessment Objectives

a list of commonly used, expected, or compromised passwords is maintained.
a list of commonly used, expected, or compromised passwords is updated 15 characters minimumCMMC/STIG.
a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.
passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.
passwords are only transmitted over cryptographically protected channels.
passwords are stored in a cryptographically protected form.
a new password is selected upon first use after account recovery.
the following composition and complexity rules for passwords are enforced: characters from at least 3 of 4 categories (uppercase, lowercase, numbers, special characters); no dictionary words; 24-password history enforced; maximum 60-day password ageCMMC/STIG.

Practitioner Notes

Practitioner commentary coming soon.

NIST 800-171 Mapping

NIST 800-53 Controls

Assessment Objectives

Practitioner Notes

Related CMMC 2.0 Practices