compliance controls are associated with this Policy definition 'Establish a password policy' (d8bbd80e-3bb1-5983-06c2-428526ec6a63)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
IA-5(1) |
FedRAMP_High_R4_IA-5(1) |
FedRAMP High IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| FedRAMP_High_R4 |
IA-5(4) |
FedRAMP_High_R4_IA-5(4) |
FedRAMP High IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
| FedRAMP_Moderate_R4 |
IA-5(1) |
FedRAMP_Moderate_R4_IA-5(1) |
FedRAMP Moderate IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| FedRAMP_Moderate_R4 |
IA-5(4) |
FedRAMP_Moderate_R4_IA-5(4) |
FedRAMP Moderate IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
| hipaa |
1004.01d1System.8913-01.d |
hipaa-1004.01d1System.8913-01.d |
1004.01d1System.8913-01.d |
10 Password Management |
1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. |
|
8 |
| hipaa |
1005.01d1System.1011-01.d |
hipaa-1005.01d1System.1011-01.d |
1005.01d1System.1011-01.d |
10 Password Management |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. |
|
6 |
| hipaa |
1009.01d2System.4-01.d |
hipaa-1009.01d2System.4-01.d |
1009.01d2System.4-01.d |
10 Password Management |
1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Temporary passwords are unique and not guessable. |
|
4 |
| hipaa |
1014.01d1System.12-01.d |
hipaa-1014.01d1System.12-01.d |
1014.01d1System.12-01.d |
10 Password Management |
1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. |
|
11 |
| hipaa |
1022.01d1System.15-01.d |
hipaa-1022.01d1System.15-01.d |
1022.01d1System.15-01.d |
10 Password Management |
1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. |
|
8 |
| hipaa |
1031.01d1System.34510-01.d |
hipaa-1031.01d1System.34510-01.d |
1031.01d1System.34510-01.d |
10 Password Management |
1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery. |
|
6 |
| hipaa |
1116.01j1Organizational.145-01.j |
hipaa-1116.01j1Organizational.145-01.j |
1116.01j1Organizational.145-01.j |
11 Access Control |
1116.01j1Organizational.145-01.j 01.04 Network Access Control |
Shared |
n/a |
Strong authentication methods are implemented for all external connections to the organization’s network. |
|
6 |
| ISO27001-2013 |
A.10.1.2 |
ISO27001-2013_A.10.1.2 |
ISO 27001:2013 A.10.1.2 |
Cryptography |
Key Management |
Shared |
n/a |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
link |
15 |
| ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
21 |
| ISO27001-2013 |
A.9.3.1 |
ISO27001-2013_A.9.3.1 |
ISO 27001:2013 A.9.3.1 |
Access Control |
Use of secret authentication information |
Shared |
n/a |
Users shall be required to follow the organization's practices in the use of secret authentication information. |
link |
15 |
| ISO27001-2013 |
A.9.4.3 |
ISO27001-2013_A.9.4.3 |
ISO 27001:2013 A.9.4.3 |
Access Control |
Password management system |
Shared |
n/a |
Password management systems shall be interactive and shall ensure quality password. |
link |
22 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.5.7 |
NIST_SP_800-171_R2_3.5.7 |
NIST SP 800-171 R2 3.5.7 |
Identification and Authentication |
Enforce a minimum password complexity and change of characters when new passwords are created. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. |
link |
8 |
| NIST_SP_800-53_R4 |
IA-5(1) |
NIST_SP_800-53_R4_IA-5(1) |
NIST SP 800-53 Rev. 4 IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| NIST_SP_800-53_R4 |
IA-5(4) |
NIST_SP_800-53_R4_IA-5(4) |
NIST SP 800-53 Rev. 4 IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
| NIST_SP_800-53_R5 |
IA-5(1) |
NIST_SP_800-53_R5_IA-5(1) |
NIST SP 800-53 Rev. 5 IA-5 (1) |
Identification and Authentication |
Password-based Authentication |
Shared |
n/a |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
link |
15 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
| PCI_DSS_v4.0 |
8.3.6 |
PCI_DSS_v4.0_8.3.6 |
PCI DSS v4.0 8.3.6 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Strong authentication for users and administrators is established and managed |
Shared |
n/a |
If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
• Contain both numeric and alphabetic characters. |
link |
9 |
| PCI_DSS_v4.0 |
8.6.3 |
PCI_DSS_v4.0_8.6.3 |
PCI DSS v4.0 8.6.3 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Use of application and system accounts and associated authentication factors is strictly managed |
Shared |
n/a |
Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. |
link |
6 |
| SWIFT_CSCF_v2022 |
4.1 |
SWIFT_CSCF_v2022_4.1 |
SWIFT CSCF v2022 4.1 |
4. Prevent Compromise of Credentials |
Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
Shared |
n/a |
All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. |
link |
17 |
| SWIFT_CSCF_v2022 |
5.4 |
SWIFT_CSCF_v2022_5.4 |
SWIFT CSCF v2022 5.4 |
5. Manage Identities and Segregate Privileges |
Protect physically and logically the repository of recorded passwords. |
Shared |
n/a |
Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. |
link |
6 |