Skip to main content

Password Requirements

How to configure passwords when setting up CMS systems

Contact: ISPG Policy Team | CISO@cms.hhs.gov
slack logoCMS Slack Channel
  • #ispg-sec_privacy-policy

The Federal Information Security Management Act (FISMA) and Federal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high. 

At CMS, password requirements for CMS systems vary depending on the system’s designated impact level. The requirements for standard account management are described below based on impact level.

High impact systems

General requirements

  • Passwords must not contain dictionary names or words. 

Length requirements

Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.

  • Regular users: at least 8 characters
  • Administrators or privileged users: at least 15 characters

Complexity requirements

The complexity of your password is measured by these four character categories:

  • A - Z
  • a - z
  • 0 - 9

For High Risk systems, use at least 3 of the 3 categories listed above.

Password history

You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:

  • 12 for High Risk systems

System requirements

When handling passwords, the system must:

  • Store and transmit only encrypted versions of passwords
  • Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password

For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:

  • 12 changed characters for High Risk systems

Moderate or Low impact systems

General requirements

  • Passwords must not contain dictionary names or words. 

Length requirements

Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.

  • Regular users: at least 8 characters
  • Administrators or privileged users: at least 15 characters

Complexity requirements

The complexity of your password is measured by these four character categories:

  • A - Z
  • a - z
  • 0 - 9

For Moderate or Low Risk systems, using more than one category is optional.

Password history

You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:

  • 6 for Moderate or Low impact systems

System requirements

When handling passwords, the system must:

  • Store and transmit only encrypted versions of passwords
  • Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password

For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:

  • 6 changed characters for Moderate or Low Risk systems

Non-standard account authentication

For non-standard account-authenticator management, refer to the CMS Risk Management Handbook, Vol. 3, Standard 4.3: Non-Standard Authenticator Management.

Reference