Cybersecurity risks are a concern for every business, including the Federal government. Until the introduction of NIST 800-171, there was not a consistent approach between government agencies on how data should be handled, safeguarded, and disposed of. This caused a myriad of headaches, including security concerns, when information needed to be shared.
After several high profile incidents culminating in the 2018 U.S. Postal Service data breach, if you now wish to work with the federal government, then you need to adhere to NIST 800-171. The framework was introduced to protect controlled federal unclassified information (CUI) in non-federal information systems and organizations. This is sensitive and relevant data that is not regulated by the federal government. The guidelines provide a framework to safeguard and distribute material deemed sensitive but not classified. They clarify how CUI should be accessed, shared, and stored in a secure fashion.
Anyone dealing with the government now not only has to be compliant, but they also must be able to demonstrate compliance to ensure contracts are not revoked or fines applied. Other organizations are also adopting NIST password guidelines and security protocols because they reduce the risk for most organizations.
What is NIST 800-171?
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies must implement to achieve compliance regarding controls around CUI. There are 14 different components of IT security that organizations and contractors must adhere to, which can be grouped into four areas:
- Controls – Data management controls and processes
- Monitoring & management – Real-time monitoring/management of defined IT systems
- End-user practices – Documented, well-defined end-user practices and procedures
- Security measures – Implementation of defined security measures
Adopting the policies in NIST 800-171 brings multiple security-related benefits, including best practices for data access policies, reduced risk of data breaches and insider threats, and a scalable approach to protecting sensitive data.
Security Measure: Enforce a minimum password complexity and change of characters when new passwords are created.NIST Special Publication 800-171 3.5.7
NIST 800-171: Change of Characters in Passwords
The guidelines say to enforce minimum password complexity and change of characters when new passwords are created.
At Enzoic, we can help ensure compliance with many of the identification and authentication requirements, including a change of characters when creating new passwords. It easy for administrators to enforce a minimum password complexity with the standard Active Directory functionality but enforcing a character changes is more complex.
A common employee password behavior is using one root password and then use various iterations of it. This practice makes it easier for the employee to remember their password, but unfortunately, it also makes it easy for cyber attackers as well.
With this in mind, it is important for organizations to implement a “change of characters when new passwords are created” as outlined in NIST 800-171. With password similarity blocking functionality, new passwords are screened by similarity to a former password using the Damerau- Levenshtein distance.
For example: If your compromised password is “HolidayVacation2018” attackers usually try iterations like:
“HolidayVacation2019” one-character change
“HolidayVacation2020” two-character change
“HolidayVacation18” two-digit change
With Enzoic for Active Directory, you can determine the amount of difference (distance) that will be required between the old password and the new password. The minimum number of differences would be 1 and the maximum number of differences would be 8. Organizations have varying opinions on how many characters should be different, including transpositions, between old and new passwords. This customization allows them to adjust it to the right level for their business.
Password Filtering in Active Directory
Passwords remain a growing threat vector and we are the only provider that offers a password filter (checking on password create/reset) and continuous monitoring (daily rechecking) against a proprietary database that is refreshed every day. We are known for the breadth of our threat intelligence in compromised credentials.
Together these capabilities allow us to deliver on the requirements outlined for simplifying password complexity and eliminating expiration as is now the recommended standard from NIST. The business advantage of these changes includes better security, improved user experience, and lower costs from an authentication technology already in place.
To find out more about how we can help support character difference requirements in NIST 800-171, please read more in this whitepaper: Automate Password Policy Enforcement & NIST Password Guidelines in Active Directory.