Compliance standards

Some organizations are required to adhere to one or more compliance standards for their authentication policies. Specops Password Auditor provides a way to evaluate how well your policies measure up against different compliance standards, such as NIST, MCSC and PCI, among others. For a full list of supported standards, see the section below.

The Password Policy Compliance report in Specops Password Auditor provides an overview of the policies in your Active Directory (or the part of your AD you defined at the start of your scan). Password Auditor will provide results for the Default Domain Password Policy, any Fine-Grained Password Policies , as well as any Specops Password Policy policies (if installed).

Password Policy Compliance report


This report provides an overview of the compliance to industry standards for every policy. Every standard has different criteria for authentication.

Compliance indicators

The Password Policy Compliance report lists compliance with industry standards for every policy by means of indicators.

  • Red: non-compliance. The policy does not meet any of the criteria set out by the standard.
  • Yellow: partial compliance. The policy meets some but not all of the criteria set out by the standard.
  • Green: full compliance. The policy meets all criteria set out by the standard.

Viewing compliance with individual standards

  1. Click on any of the compliance indicators
  2. A table is shown with each row representing a rule in the standard, the current policy's setting for that rule, and the standard's requirement.

Adjusting compliance overview

You can show or hide any columns in the overview.

  1. Click the Select dropdown
  2. Remove the checkmark next to the standard you want to hide or put a checkmark next to it to show it again.

Entropy

The entropy column is not specifically related to the outlined compliance standards. Instead, it is a measure of how “strong” the passwords allowed by the different policies are.

Compliance standards


Specops Password Auditor provides support for the following standards:

NOTE

Specops Password Auditor will check against both the built-in Windows policies as well as those created with Specops Password Policy (with Specops Breached Password Protection).

For example, standards that require users not to use dictionary words (Disallow passwords from dictionary) will be marked as non-compliant if Specops Password Policy is not used, or if the policy in Specops Password Policy is not configured to satisfy the criterium.

The tables below show which compliance criteria require additional policy tools:

  • *: Specops Password Policy
  • **: Specops Breached Password Protection

NIST

Description

The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies in the United States.

With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement is an important component to NIST recommendations.

With Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.

Nist rules
Rule Value
Minimum length 8
Disallow passwords from dictionary* Yes
Disallow compromised passwords** Yes
Disallow incremental passwords* Yes

PCI V4

Description

Payment Card Industry Data Security Standards (PCI DSS) is a set of standards and guidelines for companies to manage and secure credit card related personal data. It’s a global standard established by the major credit card companies – Visa, Mastercard, and American in an effort to protect credit card data from theft.

The PCI-DSS requirements are heavily focused around the makeup of passwords, and can be easily achieved with a third-party password policy tool, such as Specops Password Policy.

If you wish to protect against modern password attacks, you can make use of Specops Password Policy’s custom dictionary to prevent the use of passwords common to your organization. With Specops Breached Password Protection, you can block the use of over 3 billion compromised passwords.

PCI rules
Rule Value
Minimum length 7
Maximum age 90 days
Use passphrase* Yes
Password history 4
Complexity Digit, Lower

CJIS

Description

The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) — for example, fingerprint records and criminal histories.

Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security requirements and controls to safeguard CJI.

The CJIS Security Policy outlines two sets of password standards – Basic and Advanced. The report here shows how password policies compare against the Basic standard.

CJIS rules
Rule Value
Minimum length 8
Minimum age 90 days
Disallow passwords from dictionary* Yes
Disallow compromised passwords** Yes
Password history 10
Disallow incremental passwords* Yes

HITRUST

Description

The Health Information Trust (HITRUST) is a framework that provides a way to comply with the often vague standards that apply to the healthcare industry in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA).

HITRUST rules
Rule Value
Minimum length 8
Maximum age 90 days
Disallow passwords from dictionary* Yes
Disallow compromised passwords** Yes
Password history 4
Disallow incremental passwords* Yes
Complexity 2 of Digit, lower, special

NCSC

Description

The National Cyber Security Centre (NCSC) is an organization of the UK government whose approved accreditation scheme, Cyber Essentials, provides a standardized baseline for cyber security policies, controls, and technologies.

With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement and encouraging the use of passphrases are important components of the UK standard.

With Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.

NCSC rules
Rule Value
Minimum length 8
Use passphrase* Yes
Disallow passwords from dictionary* Yes
Disallow compriomised passwords** Yes

BSI

Description

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) is an agency responsible for information security for the German federal government.

The BSI is also the central certification body for IT systems. This means that any IT product or system that is to be used by the federal government, must meet the security standards of the BSI.

BSI rules
Rule Value
Minimum length 8
Disallow passowords from dictionary* Yes
Disallow compromised passwords** Yes
Password history 4
Complexity 2 of Digit, Lower, Special, Upper

ANSSI

Description

The National Agency for the Security of Information Systems (ANSSI) is France's national authority charged with supporting and securing the development of digital technology.

The ANSSI security standard includes several password recommendations including checking against a list of known compromised passwords and encouraging the use of passphrases.

ANSSI rules
Rule Value
Minimum length 15
Use passphrase* Yes
Disallow passwords from dictionary* Yes
Disallow compromised passwords** Yes
Password history 4
Complexity 3 of Digit, Lower, Special, Upper

CNIL

Description

Data privacy has become a priority for global businesses due to sweeping regulations such as the General Data Protection Regulation (GDPR). At the same time, other regulatory bodies continue to enforce local data privacy laws. In France, for example, the data protection authority is the Commission nationale de l’informatique et des libertés (CNIL).

The CNIL provides cybersecurity guidance related to collecting, storing, and using personal data. Naturally, securing passwords is an important part of the guidance.

CNIL rules
Rule Value
Minimum length 12
Disallow compromised passwords** Yes
Complexity Digit, Lower, Special, Upper