Navigate

CCI-000200

CCI-000200 Definition

The information system prohibits password reuse for the organization-defined number of generations.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 200. DoD has defined the number of generations as a minimum of 5.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 200. DoD has defined the number of generations as a minimum of 5.

Compelling Evidence

1.) Signed and dated Key Management Policy enforcing prohibition of password reuse for a minimum of 5 generations. 2.) Applicable STIG/SRG checks.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000200.

Control	Description
IA-5 (1)	The information system, for password-based authentication: IA-5 (1)(a): Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; IA-5 (1)(b): Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; IA-5 (1)(c): Stores and transmits only cryptographically-protected passwords; IA-5 (1)(d): Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; IA-5 (1)(e): Prohibits password reuse for [Assignment: organization-defined number] generations; and IA-5 (1)(f): Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Control

Description

IA-5 (1)

The information system, for password-based authentication:

IA-5 (1)(a): Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

IA-5 (1)(b): Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

IA-5 (1)(c): Stores and transmits only cryptographically-protected passwords;

IA-5 (1)(d): Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

IA-5 (1)(e): Prohibits password reuse for [Assignment: organization-defined number] generations; and

IA-5 (1)(f): Allows the use of a temporary password for system logons with an immediate change to a permanent password.