Access Control

What are your CMMC password requirements?

We explain your cybersecurity maturity model certification (CMMC) password requirements.

Join our newsletter:
The new cybersecurity maturity model certification (CMMC) model does not mention specific password length, complexity, password history, or password renewal requirements. To play it safe we recommend that you adhere to the password recommendations from the Center for Internet Security (CIS).

Center for Internet Security (CIS) Password Recommendations

  • 10 character minimum length
  • Password complexity: uppercase letters, lowercase letters, numbers, and symbols
  • Change passwords at least every 60 days
  • Prevent the reuse of the past 24 passwords
  • Set the minimum password age to one day (so that users can’t change their password 24 times to reuse their old password)
  • Set account login thresholds to 10 or fewer invalid login attempts. (Keep in mind that the fewer attempts you allow the more password related issues your users will have.)
  • Change default passwords on accounts when setting up new equipment.
  • If a user accesses several accounts, require them to use a separate password for each.
  • Do not allow the use of names, user account names, or other personal information in passwords.
  • Store all passwords using strong salting and hashing functions.
  • Do not store passwords using reversible encryption.
  • Train users to use separate passwords for work and personal accounts.

Finding the Right Balance

If you make your password requirements too stringent you will experience an increase in password “issues”. This means more password-related tickets and less productivity. If you have weak password requirements you are setting yourself up to be an easy target for attackers. Even NIST has eased its stance on password after research showed that too stringent password requirements negatively impact security.
When it comes to password requirements, find a middle ground that works best for your company's culture and the capabilities of your employees.

Summary:

  • CMMC does not mention specific password length, complexity, or reset requirements. Your company should decide on them.
  • You can not go wrong with password recommendations from the Center for Internet Security.
  • C009: Identify and protect audit information
  • Before implementing password requirements, think about how they will impact security and productivity.
  • If you found this information useful and want to learn more about CMMC reach out to us at info[@]lakeridge.io
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.