Enforce a minimum password complexity and change of characters when new passwords are created
π What This Means
This control ensures that passwords are complex enough to resist guessing or brute-force attacks by requiring a mix of character types and enforcing regular changes. It means that when users create new passwords, they must include a combination of uppercase letters, lowercase letters, numbers, and special characters. Additionally, users cannot reuse old passwords or create passwords too similar to previous ones. For example, a password like 'P@ssw0rd2023!' meets complexity requirements, while 'password123' does not. This helps protect systems from unauthorized access, especially in environments handling sensitive defense-related information.
π― Why It Matters
Weak or reused passwords are a leading cause of security breaches. According to Verizonβs 2023 Data Breach Investigations Report, 80% of hacking-related breaches involve compromised credentials. A notable example is the 2021 Colonial Pipeline attack, which originated from a compromised password. For DoD contractors, weak passwords can expose Controlled Unclassified Information (CUI) or lead to ransomware attacks, costing millions in recovery and reputational damage. CMMC emphasizes this control to ensure defense contractors maintain robust authentication practices, reducing the risk of unauthorized access to sensitive systems.
β How to Implement
- 1. In Azure, navigate to Azure Active Directory > Password Protection > Enable custom banned passwords.
- 2. Set minimum password length to 12 characters.
- 3. Enable requirements for uppercase, lowercase, numbers, and special characters.
- 4. Configure password expiration policy to 90 days.
- 5. Enable password history to prevent reuse of the last 24 passwords.
- 6. Use Azure AD Password Protection to block common or weak passwords.
- 7. Test policies by creating sample user accounts and verifying enforcement.
π Evidence Examples
Password Policy Document
Screenshot of Active Directory Password Policy Settings
Password Audit Logs
User Training Records
Policy Enforcement Test Results
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For IA.L2-3.5.7 ("Enforce a minimum password complexity and change of characters when new passwords are created"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how users, devices, and processes are identified and authenticated, including your IAM platform, password policies, MFA implementation, certificate management, and service account controls. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"IA.L2-3.5.7 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to enforce a minimum password complexity and change of characters when new password.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"IA.L2-3.5.7 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to enforce a minimum password complexity and change of characters when new password.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"IA.L2-3.5.7 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all authentication entry points (local login, VPN, cloud, API)
- β’ Document the identity provider(s) and authentication flow
- β’ Specify MFA methods and coverage
- β’ Ensure this control covers all systems within your defined CUI boundary where enforce a minimum password complexity and change of characters when new passwords are created applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Identification and Authentication Policy
- π Password policy configuration
- π MFA enrollment records
- π Service account registry
- π Evidence artifacts specific to IA.L2-3.5.7
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will test authentication mechanisms, verify MFA is enforced for required access paths, check password policy configuration, and review service account documentation.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Does your organization have a documented password policy?
Question 2: Is the minimum password length set to at least 12 characters?
Question 3: Are passwords required to include uppercase, lowercase, numbers, and special characters?
Question 4: Is password reuse prevented for at least the last 24 passwords?
Question 5: Have you tested password policy enforcement?
β οΈ Common Mistakes (What Auditors Flag)
1. Inconsistent policies across cloud and on-premise systems.
2. Weak password complexity requirements.
3. Missing documentation of password policies.
4. Failure to test policy enforcement.
5. Not training users on password policies.
π Parent Policy
This practice is governed by the Identification and Authentication Policy