Cybersecurity risks are a concern for every business, including the Federal government. Prior to NIST 800-171, there was a lack of uniformity in how government agencies managed, protected, and disposed of data, leading to significant security challenges, especially when sharing information.

After several high-profile incidents culminating in the 2018 U.S. Postal Service data breach, if you now wish to work with the federal government. This cybersecurity framework, crucial for protecting controlled federal unclassified information (CUI) in non-federal organizational systems, offers a robust protocols and security requirements for handling sensitive but unregulated data. The guidelines provide a framework to safeguard and distribute material deemed sensitive but not classified. They clarify how CUI should be accessed, shared, and stored in a secure fashion.

Compliance with these guidelines is not only mandatory but also requires demonstrable proof to avoid contract termination or fines. Consequently, other organizations are increasingly implementing NIST password guidelines and security protocols because they reduce the risk for most organizations.

What is NIST 800-171?

NIST SP 800-171 provides a set of guidelines that outline the processes and procedures that companies must implement to achieve compliance regarding controls around Controlled Unclassified Information (CUI) and information systems. There are 14 different components of IT security that organizations and contractors must adhere to, which can be grouped into four areas:

• Controls – Data management controls and processes
• Monitoring & management – Real-time monitoring/management of defined IT systems
• End-user practices – Documented, well-defined end-user practices and procedures
• Security measures – Implementation of defined security measures

Adopting NIST 800-171 policies yields significant security advantages, including enhanced data access policies, reduced risk of data breaches and insider threats, a scalable approach to data protection, and facilitation of risk assessment procedures.

Security Measure: Enforce a minimum password complexity and change of characters when new passwords are created.

NIST Special Publication 800-171 3.5.7

 

NIST 800-171: Change of Characters in Passwords

The guidelines mandate enforcing minimum password complexity, and character changes upon creating new passwords.

At Enzoic, we specialize in aiding compliance with identification and authentication requirements, specifically in enforcing character changes in password creation as part of a robust password policy. While standard Active Directory functionality allows for easy enforcement of minimum password complexity requirements, including the use of special characters, mandating character changes is more nuanced.

Employee tendencies to use variations of a single root password present significant security risks.

To counter this, NIST 800-171’s “change of characters when new passwords are created” requirement is crucial. Enzoic’s password similarity blocking checks new passwords against previous ones using the Damerau-Levenshtein distance algorithms, ensuring that password changes adhere to the specified requirements.

For example: If your compromised password is “HolidayVacation2018” attackers usually try iterations like:

“HolidayVacation2023” one-character change
“HolidayVacation2024” two-character change
“HolidayVacation24” two-digit change

With Enzoic for Active Directory, you can specify the required degree of difference between old and new passwords, with customizable settings ranging from 1 to 8 characters. This flexibility allows organizations to tailor the security measures to their specific needs.

Password Filtering in Active Directory

Passwords remain a significant threat vector, and Enzoic stands out as the only provider offering both password filtering (at creation/reset) and continuous monitoring (daily rechecking) against a daily-refreshed proprietary database. Our extensive threat intelligence in compromised credentials is a cornerstone of our service.

These capabilities align with the National Institute of Standards and Technology’s revised recommendations for simpler password complexity and the elimination of expiration dates. The benefits of these updates include enhanced security, a better user experience, and reduced costs, leveraging existing authentication technology.

NIST and Multi-Factor Authentication (MFA) 

A critical point to note in NIST’s guidelines is their applicability to various authentication process scenarios. As stated in the NIST standard, “This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators.” This explicitly indicates that organizations implementing MFA are not exempt from adhering to these password security standards and Digital Identity Guidelines. Ensuring password integrity and change requirements is just as crucial in MFA environments, highlighting the need for comprehensive password security measures across all authentication methods.

To find out more about how we can help support character difference requirements in NIST 800-171, please read more in this e-book: Using NIST Guidelines for Secure Passwords.