This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [FedRAMP Assignment: (H) (complexity as identified in IA-5(1) Control Enhancement Part (a))].
IA-5(4) Additional FedRAMP Requirements and Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA2, CA-7, RA-5.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-5(1).]
38North Guidance:
Meets Minimum Requirement:
Employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.
Best Practice:
Implement strong password complexity strength requirements/rules.
Implement mechanisms for systems/applications to automatically check password strength/complexity requirements when a password is first created.
Implement a vulnerability scan tool such as Nessus, Qualys, etc that has CIS benchmark policy check capability verifying that password strength complexity is being enforced.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of password complexity requirements for the identity management solution/application being offered to the customer and the backend environment.
CSP Implementation Tips: TBD