Much like complying with government regulations, password requirements for handling Controlled Unclassified Information (CUI) are an intricate interpretation of different guidelines and protocols.
We’re here to break down the requirements, recommendations and guidelines from the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) and NIST 800-171 to make crafting a secure password a little easier.
DoD Password Requirements
The DoD specifies password complexity and length standards as outlined in their Cybersecurity FAQ document.
Simply put, for systems without Multifactor Authentication (MFA), the Department of Defense requires:
- 15 characters minimum
- 1 of each of the following character sets: uppercase letters, lowercase letters, numeric, special characters [e.g., ~ ! @ # $ % ^ & * ( ) _ + = -‘ [ ] / ? > <]).
- Devices that cannot support the above requirements, like Windows 10 mobile devices or iOS 12, must meet a 6-character minimum and must not include two repeating sequential characters.
It’s important to highlight that although the DoD may not yet require multifactor authentication universally, having MFA in place is a requirement under CMMC and NIST 800-171. So what does that mean for minimum password complexity to satisfy CMMC and NIST 800-171 standards?
What are the requirements to meet the minimum password complexity requirements?
DoD requirements include a 15-character minimum with unique characters, which can result in lengthy, hard-to-remember passwords. However, NIST requires MFA, which allows users to create shorter, easier-to-remember passwords or passphrases.
Multifactor authenticators are our best tools against unauthorized access to CUI and protected networks in general. So implementing MFA will not only give you another level of protection, it could result in more memorable passwords for your organization.
Are password managers CMMC compliant?
The short answer is yes, but they must be FIPS-compliant.
However, let’s take a deeper look at CMMC IA.2.081 or control 3.5.10 in NIST 800-171. The control says, “Store and transmit only cryptographically-protected passwords,” which is open to interpretation. However, NIST and CMMC provide further context by highlighting that “all passwords must be cryptographically protected using a one-way function for storage and transmission.” This covers most password management tools.
One important nuance to note is that the password manager must be FIPS-compliant. The Federal Information Processing Standard (140-2) “specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments.” Most commercial password managers cannot guarantee FIPS-validated modules.
Feeling lost in navigating CMMC controls? SSE is your lighthouse.
Interpreting thick regulatory documents can make your head spin, especially when trying to verify that your organization meets all the requirements of your DoD contract. At SSE, we’re accredited by the CYBER AB (formerly the CMMC-Accreditation Body) as a Registered Provider Organization (RPO) and are DoD contractors. We know the ins and outs of CMMC compliance and can help your organization plan for and achieve compliance.
Contact us today to schedule an initial consultation with our team and a complimentary NIST 800-171 & CMMC Readiness Assessment.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.