What are the NIST SP 800-171 Password Requirements?

When CMMC 2.0 was announced on November 11th, 2021 most DoD contractors released sighs of relief. CMMC 2.0 addressed many of the industry's concerns around the original CMMC. These initial concerns included high costs for small businesses, complex security requirements, and potential conflicts of interest.

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.

3.5.8 Prohibit password reuse for a specified number of generations.

3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.

You need to require the use of a password before you grant access to your system. All user accounts must be password protected.

You need to establish minimum password complexity requirements. NIST SP 800-171 doesn’t specify what they are, it only says that you must have password complexity requirements. In the DISA Security Technical Implementation Guide for Windows 10 the following requirements are recommended: Require passwords to be at least 14 characters in length, enable the built-in Microsoft password complexity filter, set the maximum password age to 60 days or less, and require passwords to expire. NIST no longer recommends that passwords are required to be reset periodically (e.g., every 60 days), instead it recommends that passwords are reset “if there is evidence of compromise” of the password.

So what should your password complexity requirements be? It is up to you. Pick what works best for your organization. Perhaps you go with a password length of 12 characters and never require it to be reset unless there is evidence that the password was compromised. You may also require that passwords contain mixed case letters, numbers, and special characters.

You must prohibit the reuse of passwords for a number of generations. The center for internet security recommends setting this to 24 generations. The DISA STIG for Windows 10 also recommends the same.

You must require that users change their passwords when they login with a temporary password. This is generally set when an admin changes a password for a user and sends them a temporary random password. When the user logs in using the password they are required to change it.

• NIST SP 800-171 password requires are flexible
• Make sure to require the use of passwords
• Establish password complexity requirements
• Prohibit the reuse of passwords
• Require the use of a temporary password when you reset a password for a user
• You can use guidance from the Center for Internet Security and NIST to help meet NIST SP 800-171 password requirements