Password Requirements
How to configure passwords when setting up CMS systems
CMS Slack Channel- #ispg-sec_privacy-policy
The Federal Information Security Management Act (FISMA) and Federal Information Processing Standard (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems define three levels of potential impact on organizations or individuals in the event of a security breach: low, moderate, and high.
At CMS, password requirements for CMS systems vary depending on the system’s designated impact level. The requirements for standard account management are described below based on impact level.
High impact systems
General requirements
- Passwords must not contain dictionary names or words.
Length requirements
Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.
- Regular users: at least 8 characters
- Administrators or privileged users: at least 15 characters
Complexity requirements
The complexity of your password is measured by these four character categories:
- A - Z
- a - z
- 0 - 9
For High Risk systems, use at least 3 of the 3 categories listed above.
Password history
You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:
- 12 for High Risk systems
System requirements
When handling passwords, the system must:
- Store and transmit only encrypted versions of passwords
- Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password
For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the value at:
- 12 changed characters for High Risk systems
Moderate or Low impact systems
General requirements
- Passwords must not contain dictionary names or words.
Length requirements
Password length requirements depend on the type of user. Some systems may have more specific requirements on the number of characters allowed.
- Regular users: at least 8 characters
- Administrators or privileged users: at least 15 characters
Complexity requirements
The complexity of your password is measured by these four character categories:
- A - Z
- a - z
- 0 - 9
For Moderate or Low Risk systems, using more than one category is optional.
Password history
You can re-use a password only after you have a “password history” of a certain size — meaning you have used a certain number of new passwords before repeating an old one. The password history size requirements before repeating a password are:
- 6 for Moderate or Low impact systems
System requirements
When handling passwords, the system must:
- Store and transmit only encrypted versions of passwords
- Allow the use of a temporary password for first-time system logins, with the directive to immediately change to a permanent password
For some systems, the operating environment forces a minimum number of changed characters when new passwords are created. In that case, set the values at:
- 6 changed characters for Moderate or Low Risk systems
Non-standard account authentication
For non-standard account-authenticator management, refer to the CMS Risk Management Handbook, Vol. 3, Standard 4.3: Non-Standard Authenticator Management.
Reference
Related documents and resources
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process