03.05.07 Password Management

This policy outlines the organization's requirements for the secure management of user passwords, including the prohibition of weak or compromised passwords, the secure transmission and storage of passwords, and the enforcement of strong password complexity and composition rules. This policy applies to all organizational systems and users with access to controlled unclassified information (CUI).

• A.03.05.07.ODP[01]: the frequency at which to update the list of commonly used, expected, or compromised passwords is defined.
• A.03.05.07.ODP[02]: password composition and complexity rules are defined.
• A.03.05.07.a[01]: a list of commonly used, expected, or compromised passwords is maintained.
• A.03.05.07.a[02]: a list of commonly used, expected, or compromised passwords is updated <A.03.05.07.ODP[01]: frequency>.
• A.03.05.07.a[03]: a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.
• A.03.05.07.b: passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.
• A.03.05.07.c: passwords are only transmitted over cryptographically protected channels.
• A.03.05.07.d: passwords are stored in a cryptographically protected form.
• A.03.05.07.e: a new password is selected upon first use after account recovery.
• A.03.05.07.f: the following composition and complexity rules for passwords are enforced: <A.03.05.07.ODP[02]: rules>.