Password Policy Requirements for CMMC
Our clients often ask us what the password policy should be for their covered contractor information systems that must be assessed under the DoD Cybersecurity Maturity Model Certification (CMMC). CMMC is for DoD contractor-owned systems that handle Federal Contract Information (FCI, in scope for the FAR 52.204-21 clause) and/or Controlled Unclassified Information (CUI, in scope for the DFARS clause 252.204-7012).
In general, our recommendation always is to use password managers — cloud-based tools such as LastPass, Microsoft Authenticator, RoboForm, etc.– to create and store long (20+ characters) random passwords, and make sure each user login has a different password.
However, there will always be some passwords your users have to remember, such as their master password for the password manager, and for computer and/or domain login. So for those passwords that must be remembered, what’s a good policy? Unfortunately there is some conflicting guidance from the government. While we cover this topic extensively in our monthly CMMC Workshops, we’ll touch on the important points in this post to clear up some of the conflicts, and suggest a workable strategy.
In terms of CMMC password requirements, there is one control in NIST SP 800-171/CMMC that addresses password complexity. This control — 3.5.7 in 800-171 and IA.L2-3.5.7 starting with CMMC Level 2 — requires us to “Enforce a minimum password complexity and change of characters when new passwords are created.” The CMMC Assessment Guidance and NIST MEP Handbook, both recommend passwords at least 12 characters in length, with a mix of upper and lower case, numbers, and symbols. This guidance aligns with the Committee for National Security Systems Instruction (CNSSI) 1253 controls for DoD-owned IT systems:
A case sensitive 12-character mix of upper case letters, lower case letters, numbers and special characters in including at least one of each.
However, there is some conflicting guidance on password complexity from both the DoD and NIST. On the DoD side, question 53 in the DoD Procurement Toolbox Cybersecurity FAQ addresses password complexity requirements for DoD contractor covered information systems:
DoD FAQ Password Policy
Q53.1: Are there minimum standards for password length or complexity?
A53.1: Typically, specific requirement parameter values are left to the discretion of the nonfederal organization. NIST SP 800-63B, Digital Identity Guidelines -Authentication and Lifecycle Management, indicates that the minimum length for a password or PIN is to be at least 8 characters in length if chosen by the user. However, in cases where the DoD or a DoD Component determines that the loss of confidentiality, integrity, or availability of DoD information could be expected to have a serious adverse effect on organizational assets or individuals on their systems or networks, more stringent password requirements may be necessary. For password-based authentication (i.e., when multifactor authentication is not yet implemented): the minimum password complexity, as supported by the device, is a minimum of 15 characters, 1 of each of the following character sets: Upper case, lower case, Numeric, Special characters [e.g., ~ ! @ # $ % ^ & * ( ) _ + = -‘ [ ] / ? > <]). Additional guidelines are provided for devices that are unable to support the password requirements such as for Microsoft Windows 10 Mobile devices, the device must enforce a minimum password length of six characters and must not allow passwords that include more than two repeating or sequential characters. For Apple iOS 12, the device must be configured to enforce a minimum password length of six characters and be configured to not allow passwords that include more than two repeating or sequential characters.
So the DoD appears to require 15 characters for passwords in systems without multifactor authentication, with a mix of characters to support complexity. We agree with the 15 character minimum, as the longer the password is, the better; length trumps all other considerations when it comes to password security. (There are also legacy technology issues in a Microsoft Windows environment that necessitate a 15 character minimum.) So, for covered system components where users will have to remember the password, e.g. Microsoft Active Directory or Office 365, we advise our clients to configure those logins to require at minimum 15 character passwords.
However when it comes to complexity, NIST’s own recommendations (with rationale) are to do away with it, as requiring complexity often results in users writing down their passwords because they can’t remember them:
NIST Recommends doing away with Password Complexity
Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed. A rationale for this is presented in Appendix A Strength of Memorized Secrets.
Since length trumps all other password security factors, and passwords that are written down and stored near the user’s computer are the least secure of all, we recommend our clients establish password policies that will foster long and easy to remember passwords. We therefore recommend the following password policy:
- Provide users with access to a password managers for all passwords they don’t need to remember. Train them in the tool, and use the tool to auto-generate long (20+ characters) passwords consisting of a string of a mix of random characters
- For those passwords users must remember:
- Set the minimum length to 15 characters
- Configure the system to remember and forbid the reuse of the last 24 passwords
- Do not require password complexity
- yes this will cause technical noncompliance with CMMC Practice IA.2.078, but you’ll have NISTs guidance to back you up, as well as the following “compensating” control:
- Encourage and train users to use long passphrases instead of passwords. A passphrase can be a combination of three or more random words with spaces in between, such as “dog table milk phone”. These random word phrases can still be difficult to remember however (although easier than a 12 character complex password such as “Th1$ismyP@s5”), so users can pick meaningful phrases, as long as they aren’t part of common lexicon. For example: “Totem says to use a long passphrase!” is a long, secure, passphrase. This latter example even has a capital letter and symbol thrown in for good measure, so you can see that even if you do require complexity in passwords, users can throw in capital letters, numbers, and symbols in the passphrase as long as they don’t make it too complex to remember. To be able to use this as a compensating control, you must be able as an organization to prove to the assessors that you’ve trained your users in this policy, and that they understand why a long passphrase is important.
NIST also recommends to do away with password expiration, and only require users to reset passwords when the organization suspects the password has been compromised. However, establishing this as a policy may be a bridge to far to hope to cross for a CMMC assessment, so we recommend requiring users to change their password annually. But certainly don’t require 60 or 90 day password expiration in your environment, as frequent expiration doesn’t add real security, and in fact may lessen security as users quickly run out of memorable passwords and may start writing them down in frustration. However, when required to change passwords, to avoid password/phrase iteration (the adversary knows we tend to replace “password” with “password1”), require and train users to change at least 4 characters in the passphrase.
Note that wherever you can engage multifactor authentication (MFA) the better, because, as NIST says, with MFA engaged your users can use passwords as short as 8 characters. In general, MFA is one of the top cyber risk mitigators you can engage.
As a side note, the DoD Procurement Toolbox FAQ also has recommendations on logon attempt lockout, which is relevant for CMMC Practice AC.2.009:
DoD Account Lockout Policy
Q53.2: Are there minimum requirements to configure session lock on systems and networks after periods of inactivity and unsuccessful logon attempts?
A53.2: Typically, specific requirement parameter values are left to the discretion of the nonfederal organization. In cases where the DoD or a DoD Component determines that the loss of confidentiality, integrity, or availability of DoD information could be expected to have a serious adverse effect on organizational assets or individuals on their systems and networks, more stringent security requirements may be necessary. These include requiring session locks after 15 minutes of inactivity and limiting unsuccessful logon attempts to three attempts.
CMMC Password Policy Summary
Of course, depending on how the CMMC assessments shake out, we may find that CMMC assessors may absolutely require organizations to align their password policy with the guidance from the DoD Procurement Toolbox FAQ for 15 character minimum and complex passwords. We hope not, as this policy encourages users to write down passwords, but if we do find that is the case, we’ll revise our guidance in a follow on post. Until then, we recommend following NIST’s guidance to use long (15+ character) but easy to remember passphrases that expire infrequently, and to ditch the complexity requirements. If you have other questions, reach out to us, or come join us in one of our CMMC Workshops! Until then:
Good Hunting!
–Adam