3.5.8 has a weight of -1 points

Example SSP – System Security Plan

1. Policy Statement: The organization has implemented a policy to prohibit password reuse for a specified number of generations.

1. Password Generation and Management:
1. Temporary passwords are generated and provided to users upon registration or password reset requests.
2. Users are prompted to change their temporary passwords to permanent ones immediately after system logon.
3. Password complexity requirements are enforced, including minimum length, character types, and expiration period.
2. Password History:
1. The system tracks the specified number of generations (e.g., N generations) based on organizational security requirements.
3. Password Reuse Prohibition:
1. When users attempt to change their passwords, the system checks against the password history log to ensure the new password has not been used within the specified number of generations.
2. If the new password matches any of the previously used passwords, the system rejects the change request and prompts the user to choose a different, unused password.
4. Configuration Settings:
1. The system is configured to enforce password reuse restrictions for N generations, as specified by the organizational security policy.
2. Password history log size is set to retain the required number of previous passwords for each user.
5. User Notifications:
1. Users are informed about the password reuse policy during account creation, password reset, or password change processes.
2. Users are advised to choose strong, unique passwords that have not been used within the specified number of generations.
6. Monitoring and Auditing:
1. The IT security team regularly monitors the system logs to ensure compliance with the password reuse policy.
2. Detected violations are reported and addressed promptly.
7. Exceptions:
1. Exceptions to the password reuse policy may be granted on a case-by-case basis, subject to approval by the appropriate authority (e.g., IT security manager).
2. All exceptions are documented, justified, and periodically reviewed.

Milestone 1: Policy Review and Approval

• Review the existing Password Reuse Prohibition Policy to ensure compliance with NIST 800-171 requirements and organizational security needs. [Target Date]
• Obtain approval from the appropriate authority (e.g., IT security manager) for any necessary policy revisions. [Target Date]

Milestone 2: System Configuration and Testing

• Configure the organization’s systems to enforce password reuse restrictions for the specified number of generations (N generations) as per the updated policy. [Target Date]
• Test the password history log size to retain the required number of previous passwords for each user. [Target Date]

Milestone 3: Password History Log Implementation

• Implement the password history log functionality to maintain a record of previous passwords for each user. [Target Date]
• Verify that the system accurately tracks the specified number of generations (N generations) based on the organizational security requirements. [Target Date]

Milestone 4: User Notification and Awareness

• Develop user notifications and advisories to inform users about the password reuse policy during account creation, password reset, or password change processes. [Target Date]
• Advise users to choose strong, unique passwords that have not been used within the specified number of generations. [Target Date]

Milestone 5: Temporary Password Generation and Management

• Establish procedures to generate and provide temporary passwords to users upon registration or password reset requests. [Target Date]
• Implement prompts to ensure users change their temporary passwords to permanent ones immediately after system logon. [Target Date]

Milestone 6: Password Complexity Enforcement

• Configure the system to enforce password complexity requirements, including minimum length, character types, and expiration period. [Target Date]
• Test the system to ensure it correctly validates and enforces the complexity rules for user passwords. [Target Date]

Milestone 7: Monitoring and Auditing Setup

• Set up monitoring and auditing capabilities to regularly review system logs for compliance with the password reuse policy. [Target Date]
• Define criteria for detecting password reuse violations and establish reporting mechanisms for addressing violations promptly. [Target Date]

Milestone 8: Exception Handling Process Implementation

• Develop and implement a process for granting exceptions to the password reuse policy on a case-by-case basis. [Target Date]
• Define the approval authority for handling exceptions and ensure all exceptions are documented, justified, and periodically reviewed. [Target Date]

Milestone 9: Training and User Education

• Conduct training sessions to educate users about the new password reuse policy, its importance, and the impact on system security. [Target Date]
• Provide guidance on choosing strong and unique passwords to comply with the policy. [Target Date]

Milestone 10: Policy Rollout and Communication

• Publish the updated Password Reuse Prohibition Policy and distribute it to all relevant stakeholders. [Target Date]
• Communicate the policy changes to users, administrators, and IT staff to ensure awareness and compliance. [Target Date]

Microsoft Azure Password Policy Setup Instructions:

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/password-policy