Navigate

CCI-000195

CCI-000195 Definition

The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 195. DoD has defined the minimum number of characters as 50% of the minimum password length.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 195. DoD has defined the minimum number of characters as 50% of the minimum password length.

Compelling Evidence

1.) Signed and dated Key Management Policy or Password Policy referencing enforcement of password complexity 2.) Applicable STIG/SRG checks

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000195.

Control	Description
IA-5 (1)	The information system, for password-based authentication: IA-5 (1)(a): Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; IA-5 (1)(b): Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; IA-5 (1)(c): Stores and transmits only cryptographically-protected passwords; IA-5 (1)(d): Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; IA-5 (1)(e): Prohibits password reuse for [Assignment: organization-defined number] generations; and IA-5 (1)(f): Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Control

Description

IA-5 (1)

The information system, for password-based authentication:

IA-5 (1)(a): Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

IA-5 (1)(b): Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

IA-5 (1)(c): Stores and transmits only cryptographically-protected passwords;

IA-5 (1)(d): Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

IA-5 (1)(e): Prohibits password reuse for [Assignment: organization-defined number] generations; and

IA-5 (1)(f): Allows the use of a temporary password for system logons with an immediate change to a permanent password.